You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The example deployment manifest for the Linode CCM uses the cluster-admin role. When deploying the CCM with a limited clusterrole, the CCM fails to start if it doesn't have access to get on configmaps:
W0222 19:11:17.239825 1 requestheader_controller.go:193] Unable to get configmap/extension-apiserver-authentication in kube-system. Usually fixed by 'kubectl create rolebinding -n kube-system ROLEBINDING_NAME --role=extension-apiserver-authentication-reader --serviceaccount=YOUR_NS:YOUR_SA'
unable to load configmap based request-header-client-ca-file: configmaps "extension-apiserver-authentication" is forbidden: User "system:serviceaccount:kube-system:default" cannot get resource "configmaps" in API group "" in the namespace "kube-system"
It looks like Digital Ocean ran into a similar problem after updating their K8s deps (digitalocean/digitalocean-cloud-controller-manager#217). Possible short-term solutions could be to add the --authentication-skip-lookup=true flag to the deployment example manifest, or to hardcode this option in the binary
The text was updated successfully, but these errors were encountered:
The example deployment manifest for the Linode CCM uses the cluster-admin role. When deploying the CCM with a limited clusterrole, the CCM fails to start if it doesn't have access to
getonconfigmaps:This seems to be related to upstream issue, see: kubernetes/cloud-provider#34
It looks like Digital Ocean ran into a similar problem after updating their K8s deps (digitalocean/digitalocean-cloud-controller-manager#217). Possible short-term solutions could be to add the
--authentication-skip-lookup=trueflag to the deployment example manifest, or to hardcode this option in the binaryThe text was updated successfully, but these errors were encountered: