Missing RBAC permissions for VolumeAttributesClass

[lassebm]

What happened:

Deployed 4.13.0 with Helm chart and now observing csi-resizer errors about missing RBAC permissions for VolumeAttributesClass:

csi-resizer E0204 12:09:06.441805       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeAttributesClass: volumeattributesclasses.storage.k8s.io is forbidden: User \"system:serviceaccount:kube-system:csi-nfs-controller-sa\" cannot list resource \"volumeattributesclasses\" in API group \"storage.k8s.io\" at the cluster scope" logger="UnhandledError" reflector="k8s.io/client-go/informers/factory.go:160" type="*v1.VolumeAttributesClass"
csi-resizer E0204 12:09:37.573501       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeAttributesClass: volumeattributesclasses.storage.k8s.io is forbidden: User \"system:serviceaccount:kube-system:csi-nfs-controller-sa\" cannot list resource \"volumeattributesclasses\" in API group \"storage.k8s.io\" at the cluster scope" logger="UnhandledError" reflector="k8s.io/client-go/informers/factory.go:160" type="*v1.VolumeAttributesClass"
csi-resizer E0204 12:10:34.623929       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeAttributesClass: volumeattributesclasses.storage.k8s.io is forbidden: User \"system:serviceaccount:kube-system:csi-nfs-controller-sa\" cannot list resource \"volumeattributesclasses\" in API group \"storage.k8s.io\" at the cluster scope" logger="UnhandledError" reflector="k8s.io/client-go/informers/factory.go:160" type="*v1.VolumeAttributesClass"
csi-resizer E0204 12:11:20.079205       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeAttributesClass: volumeattributesclasses.storage.k8s.io is forbidden: User \"system:serviceaccount:kube-system:csi-nfs-controller-sa\" cannot list resource \"volumeattributesclasses\" in API group \"storage.k8s.io\" at the cluster scope" logger="UnhandledError" reflector="k8s.io/client-go/informers/factory.go:160" type="*v1.VolumeAttributesClass"

What you expected to happen:

Required RBAC permissions deployed and no errors logged.

How to reproduce it:

Deploy 4.13.0 with Helm chart.

Anything else we need to know?:

Not reproducible with 4.12.1.

Environment:

• CSI Driver version: 4.13.0
• Kubernetes version (use kubectl version): 1.34.3
• OS (e.g. from /etc/os-release): Debian 13 (trixie)
• Kernel (e.g. uname -a):
• Install tools:
• Others:

[andyzhangx]

VolumeAttributesClass is not supported by this CSI driver

[lassebm]

@andyzhangx Maybe this behaviour is adjustable in csi-resizer? This is logged by the csi-nfs-controller pods, hence reporting here.

[lassebm]

Also worth noting, this is logged repeatedly once or twice a minute.

[andyzhangx]

Also worth noting, this is logged repeatedly once or twice a minute.

@lassebm could you update the helm chart v4.13.0 and try again?

[lassebm]

@andyzhangx Verified as fixed in Helm chart 4.13.0 from master branch. Thanks for the quick fix!

[lassebm]

@andyzhangx These changes got lost in 4.13.1.

[andyzhangx]

@andyzhangx These changes got lost in 4.13.1.

would be fixed by #1050

[thebigbone]

@andyzhangx I see the same errors on csi-snapshotter container under the csi-nfs-controller pod on 4.13.0 and 4.31.1:

5m0s] snapshotNamePrefix [snapshot] snapshotNameUUIDLength [824633790344]
I0221 07:09:54.716129       1 leaderelection.go:257] attempting to acquire leader lease kube-system/external-snapshotter-leader-nfs-csi-k8s-io...
I0221 07:10:13.103785       1 leaderelection.go:271] successfully acquired lease kube-system/external-snapshotter-leader-nfs-csi-k8s-io
I0221 07:10:13.103968       1 leader_election.go:194] "became leader, starting"
I0221 07:10:13.104617       1 snapshot_controller_base.go:176] Starting CSI snapshotter
E0221 07:10:13.115380       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotContent: the server could not find the requested resource (get volumesnapshotcontents.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotContent"
E0221 07:10:13.117576       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotClass: the server could not find the requested resource (get volumesnapshotclasses.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotClass"
E0221 07:10:14.049391       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotContent: the server could not find the requested resource (get volumesnapshotcontents.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotContent"
E0221 07:10:14.193882       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotClass: the server could not find the requested resource (get volumesnapshotclasses.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotClass"

[andyzhangx]

@andyzhangx I see the same errors on csi-snapshotter container under the csi-nfs-controller pod on 4.13.0 and 4.31.1:

5m0s] snapshotNamePrefix [snapshot] snapshotNameUUIDLength [824633790344]
I0221 07:09:54.716129       1 leaderelection.go:257] attempting to acquire leader lease kube-system/external-snapshotter-leader-nfs-csi-k8s-io...
I0221 07:10:13.103785       1 leaderelection.go:271] successfully acquired lease kube-system/external-snapshotter-leader-nfs-csi-k8s-io
I0221 07:10:13.103968       1 leader_election.go:194] "became leader, starting"
I0221 07:10:13.104617       1 snapshot_controller_base.go:176] Starting CSI snapshotter
E0221 07:10:13.115380       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotContent: the server could not find the requested resource (get volumesnapshotcontents.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotContent"
E0221 07:10:13.117576       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotClass: the server could not find the requested resource (get volumesnapshotclasses.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotClass"
E0221 07:10:14.049391       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotContent: the server could not find the requested resource (get volumesnapshotcontents.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotContent"
E0221 07:10:14.193882       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotClass: the server could not find the requested resource (get volumesnapshotclasses.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotClass"

@thebigbone this is different error, have you installed the snapshot CRDs?

[thebigbone]

@andyzhangx I see the same errors on csi-snapshotter container under the csi-nfs-controller pod on 4.13.0 and 4.31.1:

5m0s] snapshotNamePrefix [snapshot] snapshotNameUUIDLength [824633790344]
I0221 07:09:54.716129       1 leaderelection.go:257] attempting to acquire leader lease kube-system/external-snapshotter-leader-nfs-csi-k8s-io...
I0221 07:10:13.103785       1 leaderelection.go:271] successfully acquired lease kube-system/external-snapshotter-leader-nfs-csi-k8s-io
I0221 07:10:13.103968       1 leader_election.go:194] "became leader, starting"
I0221 07:10:13.104617       1 snapshot_controller_base.go:176] Starting CSI snapshotter
E0221 07:10:13.115380       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotContent: the server could not find the requested resource (get volumesnapshotcontents.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotContent"
E0221 07:10:13.117576       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotClass: the server could not find the requested resource (get volumesnapshotclasses.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotClass"
E0221 07:10:14.049391       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotContent: the server could not find the requested resource (get volumesnapshotcontents.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotContent"
E0221 07:10:14.193882       1 reflector.go:205] "Failed to watch" err="failed to list *v1.VolumeSnapshotClass: the server could not find the requested resource (get volumesnapshotclasses.snapshot.storage.k8s.io)" logger="UnhandledError" reflector="github.com/kubernetes-csi/external-snapshotter/client/v8/informers/externalversions/factory.go:142" type="*v1.VolumeSnapshotClass"

@thebigbone this is different error, have you installed the snapshot CRDs?

Sorry, yes I forgot --set externalSnapshotter.enabled=true option.