If the cluster-info configmap in kube-public namespace is missing (removed manually in this case as the embedded certificate-authority-data did not get updated after the cluster's CA was recreated), the fallback is buildKubeconfigFromEndpointSlice - but it fails due to permissions
[pod/operating-system-manager-[...]/operating-system-manager] {"level":"error","time":"[...]","logger":"controller-runtime.cache.UnhandledError","caller":"runtime/runtime.go:212","msg":"Failed to watch","reflector":"k8s.io/client-go@v0.34.0/tools/cache/reflector.go:290","type":"*v1.Endpoints","error":"failed to list *v1.Endpoints: endpoints is forbidden: User \"system:serviceaccount:kube-system:operating-system-manager\" cannot list resource \"endpoints\" in API group \"\" at the cluster scope"}
No roles or bindings were touched
# kubectl get roles -n default operating-system-manager -o yaml | yq '.rules'
- apiGroups:
- ""
resourceNames:
- kubernetes
resources:
- endpoints
verbs:
- get
If the
cluster-infoconfigmap inkube-publicnamespace is missing (removed manually in this case as the embedded certificate-authority-data did not get updated after the cluster's CA was recreated), the fallback isbuildKubeconfigFromEndpointSlice- but it fails due to permissionsNo roles or bindings were touched