kill-host-pods.py: filter pods by node

petrutlucian94 · petrutlucian94 · commit 0f545d0cea73 · 2025-01-10T15:29:59.000Z
Starting with k8s 1.32, AuthorizeNodeWithSelectors is enabled by default: https://kubernetes.io/docs/reference/access-authn-authz/node/ If the rbac microk8s addon is enabled, the kube-apiserver will run with "--authorization-mode=RBAC,Node". This means that kublets (system:node:$node) will no longer be allowed to access pods that reside on other nodes. For this reason, the "kill-host-pods.py" script is now getting access denied errors: Error from server (Forbidden): pods is forbidden: User "system:node:myhostname" cannot list resource "pods" in API group "" at the cluster scope: can only list/watch pods with spec.nodeName field selector As suggested by the error message, we'll solve it by filtering pods by the node name. Fixes: #4802
diff --git a/microk8s-resources/default-hooks/reconcile.d/10-pods-restart b/microk8s-resources/default-hooks/reconcile.d/10-pods-restart
@@ -4,7 +4,9 @@
 
 if ! [ -e "${SNAP_DATA}/var/lock/no-cni-reload" ] &&
   [ -e "${SNAP_DATA}/var/lock/snapdata-mounts-need-reload" ]; then
-  if (is_apiserver_ready) && "${SNAP}/scripts/kill-host-pods.py" --with-snap-data-mounts --with-owner -- -A; then
+  if (is_apiserver_ready) && "${SNAP}/scripts/kill-host-pods.py" \
+      --with-snap-data-mounts --with-owner \
+      -- -A --field-selector spec.nodeName=$(hostname) ; then
     rm "${SNAP_DATA}/var/lock/snapdata-mounts-need-reload"
   fi
 fi
