[Bug, Cluster Autoscaler] Errors coming from missing permissions for CSI-related API resources

[kevin-lindsay-1]

Which component are you using?:

Cluster autoscaler

What version of the component are you using?:

Chart version 9.9.2
Image version 1.21.0

What k8s version are you using (kubectl version)?:

kubectl version Output

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.3", GitCommit:"ca643a4d1f7bfe34773c74f79527be4afd95bf39", GitTreeState:"clean", BuildDate:"2021-07-15T20:58:09Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21+", GitVersion:"v1.21.2-13+d2965f0db10712", GitCommit:"d2965f0db1071203c6f5bc662c2827c71fc8b20d", GitTreeState:"clean", BuildDate:"2021-06-26T00:59:14Z", GoVersion:"go1.16.5", Compiler:"gc", Platform:"linux/amd64"}

What environment is this in?:

AWS EKS

What did you expect to happen?:

No persistent errors when running the autoscaler

What happened instead?:

Getting a few errors related to missing permissions that don't appear to be on either the clusterrole or role.

First error is missing permissions on csidrivers:

k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.CSIDriver: failed to list *v1.CSIDriver: csidrivers.storage.k8s.io is forbidden: User "system:serviceaccount:infrastructure:cluster-autoscaler-aws-cluster-autoscaler" cannot list resource "csidrivers" in API group "storage.k8s.io" at the cluster scope

Second error is missing permissions on csistoragecapacities:

k8s.io/client-go/informers/factory.go:134: Failed to watch *v1beta1.CSIStorageCapacity: failed to list *v1beta1.CSIStorageCapacity: csistoragecapacities.storage.k8s.io is forbidden: User "system:serviceaccount:infrastructure:cluster-autoscaler-aws-cluster-autoscaler" cannot list resource "csistoragecapacities" in API group "storage.k8s.io" at the cluster scope

How to reproduce it (as minimally and precisely as possible):

By the looks of it, you just need to try to start the service with this general environment.

Anything else we need to know?:

Looking at the k8s resource outputs, checking my api-resources, and looking at the templates for the clusterrole and role, these permissions appear to not be being added to the serviceaccount, so should theoretically be a simple chart patch.

[kevin-lindsay-1]

It looks like #4214 would fix this issue.

[gjtempleton]

This should have been resolved by the merging and release of #4154. Can you confirm that version 9.10.1 or 9.10.2 resolves this issue for you?

[kevin-lindsay-1]

Yep, looks like it's fixed.