Namespaces “kube-system” is forbidden

Question

I’m having a problem when I install ebs-csi-driver for AWS EKS I used the account with administratoraccess to install via was console but had an error “namespaces “kube-system” is forbidden: User “eks:addon-manager” cannot patch resource “namespaces” in API group “” in the namespace “kube-system”” I don’t know why the administrator permission can not install add-on. I also tried to create IAM role but follow Link but receive error : Error from server (NotFound): serviceaccounts “ebs-csi-controller-sa” not found

I just started with Kubernetes so don’t know how t resolve, Anyone can help ?

I follow Link

HELMUTH ANDRES NISTAL URIZAR · Answer 1 · 2023-04-11T16:01:46.860

2

Had the same issue, after manually adding "patch" permission under namespace rule the installation was completed. I used the following command to edit that resource.

kubectl edit clusterrole eks:addon-manager

Hope this works for you :)

pd: I assume that this is needed only during the installation so after the I removed that permission.

edited Apr 11 '23 at 16:01

answered Apr 11 '23 at 15:54

HELMUTH ANDRES NISTAL URIZAR

21
2

Can you be more specific and possibly provide example? – Travis Bear Jun 09 '23 at 17:34
This is part of the problem maybe, but there is another thing I have to fix before the whole problem solved. https://repost.aws/questions/QUEAwOTFmCTLG-SzJQOhkx3w/accessdenied-when-create-ebs-csi-driver – tom10271 Jun 12 '23 at 15:50

score 0 · Answer 2 · answered Apr 12 '23 at 07:54

0

While creating addon by default it inherit role of nodegroup, by giving permission of "AmazonEKSClusterPolicy" to your nodegroup's role might solve this issue.

answered Apr 12 '23 at 07:54

Ankit Rai

3
2

Namespaces “kube-system” is forbidden

2 Answers2