Skip to content

Calico-apiserver missing RBAC for validatingadmissionpolicies after upgrade to Kubernetes 1.31.9 using kubespray #12487

New issue
New issue
Open
Open
Calico-apiserver missing RBAC for validatingadmissionpolicies after upgrade to Kubernetes 1.31.9 using kubespray#12487
Labels
RHEL 8kind/bugCategorizes issue or PR as related to a bug.
@billzi-7

Description

@billzi-7
billzi-7
opened on Aug 20, 2025

What happened?

When upgrading from Kubernetes 1.30 → 1.31.9 using Kubespray (release-2.27 branch), Calico-apiserver logs repeated RBAC errors:

W0814 00:14:39.744143 1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list *v1.ValidatingAdmissionPolicy: validatingadmissionpolicies.admissionregistration.k8s.io is forbidden: User "system:serviceaccount:calico-apiserver:calico-apiserver" cannot list resource "validatingadmissionpolicies" in API group "admissionregistration.k8s.io" at the cluster scope E0814 00:14:39.744167 1 reflector.go:150] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: Failed to watch *v1.ValidatingAdmissionPolicy: failed to list *v1.ValidatingAdmissionPolicy: validatingadmissionpolicies.admissionregistration.k8s.io is forbidden: User "system:serviceaccount:calico-apiserver:calico-apiserver" cannot list resource "validatingadmissionpolicies" in API group "admissionregistration.k8s.io" at the cluster scope

What did you expect to happen?

Kubespray should provision RBAC roles for Calico-apiserver that include the new admissionregistration resources introduced in 1.31 so that the controller can watch them without RBAC errors.

How can we reproduce it (as minimally and precisely as possible)?

Upgrade cluster with Kubespray tag 2.27.1.

Upgrade from Kubernetes 1.30 → 1.31.9.

Observe Calico-apiserver logs (kubectl -n calico-apiserver logs ), RBAC errors appear.

OS

RHEL 8

Version of Ansible

ansible [core 2.16.9]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.11/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.11.11 (main, Dec 9 2024, 20:38:43) [GCC 14.2.0] (/usr/local/bin/python3)
jinja version = 3.1.4
libyaml = True

Version of Python

Python 3.11.11

Version of Kubespray (commit)

45140b5

Network plugin used

calico

Full inventory with variables

n/a

Command used to invoke ansible

n/a

Output of ansible run

n/a

Anything else we need to know

I patched it locally by adding the following after line #237 in the jinja template for the calico-apiserver

  - validatingadmissionpolicies
  - validatingadmissionpolicybindings

This resolves the issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    RHEL 8kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions