Clusterrole does not have 'get' permissions on pods

[ajcann]

Going over cluster api audit logs, I see aws-node-termination-handler attempts to use the 'get' verb on pod resources but these requests are rejected. I see that the helm chart's clusterrole specifies list but not get get.

Will this harm functionality in anyway? Should we amend the clusterrole to have get permissions or is this get request unintentional?

[haugenj]

Hey thanks for bringing this up! Without diving too deep on this, I don't think this affects the ability of aws-node-termination-hander (famous last words). Cordoning and draining is working in all our tests, have you seen any issues with draining in your cluster?

I audited the clusterrole permissions a while back and didn't notice any errors percolate into the aws-node-termination-handler logs during execution, is there any more info in the cluster api logs about when this get request is being made? I think we should narrow down why this get request is being made before deciding whether to modify the permissions.

[ajcann]

@haugenj Thanks for responding so quickly! We haven't explicitly noticed any issues stemming from this, though our clusters are fairly large and busy so certain issues may go unnoticed. I believe this get calls happens shortly after the /eviction endpoint is hit. I suspect it's attempting to get the pod status?