Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters
  3. Section IV. Maintenance
  4. Troubleshooting
  5. Troubleshooting EKS-specific issues
  6. Cluster Autoscaler initialization issue
Cohesity Cloud Scale Technology Manual Deployment Guide for Kubernetes Clusters

Cluster Autoscaler initialization issue

Cluster Autoscaler on EKS fails to initialize due to missing RBAC permissions for the VolumeAttachment resource in the storage.k8s.io API group.

This issue occurs because Kubernetes version 1.33 requires additional permissions that are not included in the default cluster autoscaler ClusterRole. During initialization, the cluster autoscaler status remains Initializing, and pod logs display the following error:

failed to list *v1.VolumeAttachment: volumeattachments.storage.k8s.io is forbidden: User 
"system:serviceaccount:kube-system:cluster-autoscaler" cannot list resource "volumeattachments" 
in API group "storage.k8s.io" at the cluster scope

To resolve the Cluster Autoscaler initialization issue on Kubernetes 1.33 (EKS):

  1. Identify the ClusterRole used by the cluster autoscaler.

    Run the following commands to locate the associated ClusterRoleBinding and view its details:

    kubectl get clusterrolebinding | grep cluster-autoscaler

    kubectl describe clusterrolebinding <binding-name>

  2. Add the volumeattachments resource permission to the ClusterRole. Find the storage.k8s.io rule in the ClusterRole and patch it to include volumeattachments:

    kubectl get clusterrole <cluster-autoscaler-role> -o yaml | grep -n "storage.k8s.io" -A 10

    kubectl patch clusterrole <cluster-autoscaler-role> --type='json' -p='[

      {
        "op": "add",
        "path": "/rules/0/resources/-",
        "value": "volumeattachments"
      }
    ]'
  3. Restart the Cluster Autoscaler deployment to apply the updated permissions.

    kubectl rollout restart deployment/cluster-autoscaler -n kube-system

  4. Verify that the Cluster Autoscaler status is Running.

    kubectl describe cm cluster-autoscaler-status -n kube-system

    autoscalerStatus: Running
  5. Run the following command to confirm if the updated permissions include volumeattachments:

    kubectl get clusterrole <cluster-autoscaler-role> -o yaml | grep -A 15 "storage.k8s.io"

    - apiGroups:
      - storage.k8s.io
      resources:
      - storageclasses
      - csinodes
      - csidrivers
      - csistoragecapacities
      - volumeattachments
      verbs:
      - watch
      - list
      - get
  6. Run the following command to check the Cluster Autoscaler logs to confirm normal operation and ensure that no further permission errors are reported:

    kubectl -n kube-system logs -l app=cluster-autoscaler -f

Feedback

Was this page helpful?
Previous

Webhook displays an error for PV not found

Next

Catalog backup job fails with an error (Status 9202)

Feedback

Was this page helpful?