added missing destination rbac rule for statefulsets #14654
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Farhan Ramzan <[email protected]>
farhanramzan799
force-pushed
the
linkerd-missing-rbac-for-statefulsets
branch
from
b692ebc to
fa30fa9
Compare
Contributor
|
Thanks for taking the time to create this PR @farhanramzan79! Ideally, we'd prefer to not expand our RBAC scope, and the behavior you're seeing where we start trying to read StatefulSets from the k8s API was inadvertently introduced by #14578 in I'm planning on reintroducing a PR similar to #14578 that doesn't require additional RBAC rules, so this PR is will unfortunately not be necessary. I'm going to go ahead and close this, but thank you again for the contribution! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is the issue?
When using Linkerd (Edge build 2025.10.*), the linkerd-destination component logs repeated warnings such as:
failed to retrieve resource from direct API call apps/v1, Kind=StatefulSet/: statefulsets.apps "" is forbidden:
User "system:serviceaccount:linkerd:linkerd-destination" cannot get resource "statefulsets" in API group "apps" in the namespace ""
This occurs for multiple workloads using StatefulSets (e.g., Elasticsearch, Redis, RabbitMQ).
The issue seems to stem from missing RBAC permissions for statefulsets in the linkerd-destination ClusterRole.
How can it be reproduced?
Deploy Linkerd Edge build 2025.10.2 (including CRDs and control plane).
Deploy workloads that use StatefulSets (for example, Redis or Elasticsearch).
Observe linkerd-destination logs in the linkerd namespace:
kubectl logs -n linkerd deploy/linkerd-destination
You’ll see permission errors similar to:
failed to retrieve resource from direct API call apps/v1, Kind=StatefulSet/... is forbidden
Logs, error output, etc
level=warning msg="failed to retrieve resource from direct API call apps/v1, Kind=StatefulSet/elastic-system/elasticsearch-es-default: statefulsets.apps "elasticsearch-es-default" is forbidden: User "system:serviceaccount:linkerd:linkerd-destination" cannot get resource "statefulsets" in API group "apps" in the namespace "elastic-system""
Image
output of linkerd check -o short
Image
Environment
Linkerd version: edge-2025.10.2
Possible solution
Add missing RBAC permissions for StatefulSets to the linkerd-destination ClusterRole:
apiGroups: ["apps"]
resources: ["replicasets", "statefulsets"]
verbs: ["list", "get", "watch"]