Missing role permissions needed in example manifest

[cmagorian]

From deploying the example manifest (not helm), I needed to add the following block in the ClusterRole:

- apiGroups: ['']
  resources: [endpoints]
  verbs: [get, patch, update]

To remove this error message:

leaderelection.go:324] error retrieving resource lock kube-system/draino: endpoints "draino" is forbidden: User "system:serviceaccount:kube-system:draino" cannot get resource "endpoints" in API group "" in the namespace "kube-system"

Would you guys be open to a PR for this?

[tomaaron]

I'm having nearly the same issue:

E1015 08:57:38.037739       1 leaderelection.go:328] error initially creating leader election record: endpoints is forbidden: User "system:serviceaccount:kube-system:draino" cannot create resource "endpoints" in API group "" in the namespace "kube-system"

I guess there is also create missing. Take a look at the helm chart. I would suggest to create the manifest from the helm chart and sync it via github actions or similar.

[jacobstr]

Yep! Open to an MR!

[matharoo]

I was getting a similar error too but with creation :

error initially creating leader election record: endpoints is forbidden: User "system:serviceaccount:kube-system:draino" cannot create resource "endpoints" in API group "" in the namespace "kube-system"

So I also added create under endpoints:

- apiGroups: ['']
  resources: [endpoints]
  verbs: [get, create, patch, update]

[tarunptala]

yes i experienced the same. Solved it by adding that extra rbac permissions. Btw its correctly mentioned in given helm chart, but yes it should be updated in the manifest.yml as well. @cmagorian