Cluster Autoscaler initialization issue
Cluster Autoscaler on EKS fails to initialize due to missing RBAC permissions for the VolumeAttachment resource in the storage.k8s.io API group.
This issue occurs because Kubernetes version 1.33 requires additional permissions that are not included in the default cluster autoscaler . During initialization, the cluster autoscaler status remains , and pod logs display the following error:
failed to list *v1.VolumeAttachment: volumeattachments.storage.k8s.io is forbidden: User "system:serviceaccount:kube-system:cluster-autoscaler" cannot list resource "volumeattachments" in API group "storage.k8s.io" at the cluster scope
To resolve the Cluster Autoscaler initialization issue on Kubernetes 1.33 (EKS):
- Identify the ClusterRole used by the cluster autoscaler.
Run the following commands to locate the associated ClusterRoleBinding and view its details:
kubectl get clusterrolebinding | grep cluster-autoscaler
kubectl describe clusterrolebinding <binding-name>
- Add the
volumeattachmentsresource permission to the ClusterRole. Find thestorage.k8s.iorule in the ClusterRole and patch it to includevolumeattachments:kubectl get clusterrole <cluster-autoscaler-role> -o yaml | grep -n "storage.k8s.io" -A 10
kubectl patch clusterrole <cluster-autoscaler-role> --type='json' -p='[
{ "op": "add", "path": "/rules/0/resources/-", "value": "volumeattachments" } ]' - Restart the Cluster Autoscaler deployment to apply the updated permissions.
kubectl rollout restart deployment/cluster-autoscaler -n kube-system
- Verify that the Cluster Autoscaler status is Running.
kubectl describe cm cluster-autoscaler-status -n kube-system
autoscalerStatus: Running
- Run the following command to confirm if the updated permissions include
volumeattachments:kubectl get clusterrole <cluster-autoscaler-role> -o yaml | grep -A 15 "storage.k8s.io"
- apiGroups: - storage.k8s.io resources: - storageclasses - csinodes - csidrivers - csistoragecapacities - volumeattachments verbs: - watch - list - get
- Run the following command to check the Cluster Autoscaler logs to confirm normal operation and ensure that no further permission errors are reported:
kubectl -n kube-system logs -l app=cluster-autoscaler -f