Skip to content

vertical-pod-autoscaler admission-controller serviceaccount missing permissions #8877

New issue
New issue
Open
Open
vertical-pod-autoscaler admission-controller serviceaccount missing permissions#8877
Assignees
omerap12
Labels
area/vertical-pod-autoscalerkind/bugCategorizes issue or PR as related to a bug.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@muhamedkapoevolt

Description

@muhamedkapoevolt
muhamedkapoevolt
opened on Dec 2, 2025

Which component are you using?:
vertical-pod-autoscaler

helm chart 0.6.0 of vertical-pod-autoscaler

Component version:

What environment is this in?:

Both dev and prod

What did you expect to happen?:

vertical-pod-autoscaler running without errors

What happened instead?:

I did install vertical-pod-autoscaler, chart version 0.6.0, without making any changes in values.yaml. On start I can see buch of permission errors in admission-controller

...
E1202 15:42:23.357898 1 reflector.go:205] "Failed to watch" err="failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "statefulsets" in API group "apps" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.StatefulSet"
I1202 15:42:44.020560 1 reflector.go:404] "Listing and watching" type="*v1.Job" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290"
E1202 15:42:44.026539 1 reflector.go:205] "Failed to watch" err="failed to list *v1.Job: jobs.batch is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "jobs" in API group "batch" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.Job"
I1202 15:42:44.454716 1 reflector.go:404] "Listing and watching" type="*v1.DaemonSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290"
E1202 15:42:44.458754 1 reflector.go:205] "Failed to watch" err="failed to list *v1.DaemonSet: daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "daemonsets" in API group "apps" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.DaemonSet"
I1202 15:42:55.292683 1 reflector.go:404] "Listing and watching" type="*v1.Deployment" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290"
E1202 15:42:55.298321 1 reflector.go:205] "Failed to watch" err="failed to list *v1.Deployment: deployments.apps is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "deployments" in API group "apps" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.Deployment"
I1202 15:43:01.735250 1 reflector.go:404] "Listing and watching" type="*v1.CronJob" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290"
E1202 15:43:01.739145 1 reflector.go:205] "Failed to watch" err="failed to list *v1.CronJob: cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "cronjobs" in API group "batch" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.CronJob"
I1202 15:43:12.033075 1 reflector.go:404] "Listing and watching" type="*v1.ReplicaSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290"
E1202 15:43:12.043263 1 reflector.go:205] "Failed to watch" err="failed to list *v1.ReplicaSet: replicasets.apps is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "replicasets" in API group "apps" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.ReplicaSet"
I1202 15:43:15.628623 1 reflector.go:404] "Listing and watching" type="*v1.ReplicationController" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290"
E1202 15:43:15.632215 1 reflector.go:205] "Failed to watch" err="failed to list *v1.ReplicationController: replicationcontrollers is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "replicationcontrollers" in API group "" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.ReplicationController"
I1202 15:43:20.627263 1 reflector.go:404] "Listing and watching" type="*v1.StatefulSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290"
E1202 15:43:20.630764 1 reflector.go:205] "Failed to watch" err="failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "statefulsets" in API group "apps" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.StatefulSet"
I1202 15:43:23.074329 1 reflector.go:404] "Listing and watching" type="*v1.Job" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290"
E1202 15:43:23.079076 1 reflector.go:205] "Failed to watch" err="failed to list *v1.Job: jobs.batch is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "jobs" in API group "batch" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.Job"
I1202 15:43:28.812752 1 reflector.go:404] "Listing and watching" type="*v1.DaemonSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290"
E1202 15:43:28.815792 1 reflector.go:205] "Failed to watch" err="failed to list *v1.DaemonSet: daemonsets.apps is forbidden: User "system:serviceaccount:kube-system:vertical-pod-autoscaler-admission-controller" cannot list resource "daemonsets" in API group "apps" at the cluster scope" logger="UnhandledError" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:290" type="*v1.DaemonSet"
...

How to reproduce it (as minimally and precisely as possible):

I just did install "blank" chart.

Metadata

Metadata

Assignees

Labels

area/vertical-pod-autoscalerkind/bugCategorizes issue or PR as related to a bug.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions