Remove unnecessary delete daemonset permission #140
Conversation
| @@ -36,4 +36,3 @@ rules: | |||
| - daemonsets | |||
| verbs: | |||
| - get | |||
There was a problem hiding this comment.
Actually, why does the node termination handler need any access to daemonset or replicaset resources? AFAIK, NTH only queries Node?
There was a problem hiding this comment.
Good point, I'll test it out removing those as well and see if there's any gotchas
There was a problem hiding this comment.
Just a small update, removing the get daemonset permissions is causing the e2e test to break so I'm looking into what's going on there. I'm not totally convinced it's a real error rather than a problem with the test
There was a problem hiding this comment.
It looks like the daemonset get permissions are required so that we can filter out the daemonsets within the RunNodeDrain call: https://github.com/kubernetes/kubernetes/blob/fb6f5d739b08e049b188806d6e33099f85fad2fe/staging/src/k8s.io/kubectl/pkg/drain/drain.go#L189
I haven't had any issues with removing the replicaset permissions though, so I'll take that out in a new revision.
|
Corresponding change to the eks-chart aws/eks-charts#114 |
Issue #138, if available:
Description of changes:
Deleted the the line in the cluster role config file that gives NTH permission to delete daemonsets.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.