I want to drain a Node from the Node itself. I therefore created a Service Account and added the token to the .kube/config file on the Node. I also creaded the Role Binding.
But I can't figure out the right permissions. I tried this so far but it didn't work.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: admin-clusterrole
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["drain"]
What would be the correct permissions for that?
Thanks :)
Edit 1:
RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: node-drainer-clusterrole-bind
namespace: default
subjects:
- kind: ServiceAccount
name: node-drainer-sa
namespace: default
roleRef:
kind: ClusterRole
name: system:node-drainer
apiGroup: rbac.authorization.k8s.io
ServiceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: node-drainer-sa
First off, you should not use the name admin-clusterrole
for this ClusterRole, because you risk locking yourself out of your own cluster by overwriting default bindings.
Here's a ClusterRole which should be able to drain a Node. Let me know if it doesn't work for you.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:node-drainer
rules:
# Needed to evict pods
- apiGroups: [""]
resources: ["pods/eviction"]
verbs: ["create"]
# Needed to list pods by Node
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
# Needed to cordon Nodes
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "patch"]
# Needed to determine Pod owners
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list"]
# Needed to determine Pod owners
- apiGroups: ["extensions"]
resources: ["daemonsets", "replicasets"]
verbs: ["get", "list"]
You can determine which APIs are used by a kubectl command by using the verbosity levels.
For example:
kubectl drain node my-node -v=10
From here you can inspect the HTTP requests made by kubectl.