I'm trying to automate the process of draining specific nodes on certain days when we perform maintenance. I'm using Kubernetes CronJobs for this task and I've set up the basic configuration. However, when I check the logs, it looks like my service account doesn't have the necessary permissions to drain the nodes. The error I'm encountering says that the service account can't access the nodes resource. What am I missing? Here's a snippet of my current setup for the CronJob and the error message I'm seeing:
```yaml
# kubectl create namespace cronjobs
# kubectl create sa cronjob -n cronjobs
# kubectl create clusterrolebinding cronjob --clusterrole=edit --serviceaccount=cronjob:cronjob
apiVersion: batch/v1
kind: CronJob
metadata:
name: drain-node11
namespace: cronjobs
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
restartPolicy: Never
containers:
- command:
- /bin/bash
- -c
- |
kubectl cordon k8s-worker-11
kubectl drain k8s-worker-11 --ignore-daemonsets --delete-emptydir-data
exit 0
image: bitnami/kubectl
imagePullPolicy: IfNotPresent
name: job
serviceAccount: cronjob
```
Here's the error from the logs:
```
$ kubectl logs drain-node11-29116657-q6ktb -n cronjobs
Error from server (Forbidden): nodes "k8s-worker-11" is forbidden: User "system:serviceaccount:cronjobs:cronjob" cannot get resource "nodes" in API group "" at the cluster scope
```
# EDIT: I've figured out that I need to adjust the RBAC settings. Here's what I believe I need to add to grant the necessary permissions...
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-drainer
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "patch", "evict", "list", "update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "delete", "list"]
- apiGroups: [""]
resources: ["pods/eviction"]
verbs: ["create"]
- apiGroups: ["apps",""]
resources: ["daemonsets"]
verbs: ["get", "delete", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-drainer-binding
subjects:
- kind: ServiceAccount
name: cronjob
namespace: cronjobs
roleRef:
kind: ClusterRole
name: node-drainer
apiGroup: rbac.authorization.k8s.io
```
1 Answer
Looks like your service account doesn't have sufficient permissions. You'll need a ClusterRole that allows your cronjob's service account to access node resources, and then bind that role with a ClusterRoleBinding. Check if you have added the required permissions correctly.
I tried setting up the ClusterRole as you suggested, but I still got the same permissions error. Is there something wrong with my binding?