insufficient permissions for cilium clusterrole #17753
Description
/kind bug
1. What kops version are you running? The command kops version, will display
this information.
1.34.0
2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
1.33.5-1.34.1
3. What cloud provider are you using?
OpenStack
4. What commands did you run? What is the simplest way to reproduce this issue?
Deploying new or updating an old cluster with kOps 1.34
5. What happened after the commands executed?
Cluster update is successful, but Cilium deployment has following errors in logs
time=2025-11-11T07:50:23.023611279Z level=error msg=k8sError error="failed to list *v1.Secret: secrets is forbidden: User \"system:serviceaccount:kube-system:cilium\" cannot list resource \"secrets\" in API group \"\" in the namespace \"kube-system\""
6. What did you expect to happen?
Cilium has sufficient permissions.
**7. Please provide your cluster manifest.
Cilium settings:
kubeProxy:
enabled: false
networking:
cilium:
enableNodePort: true8. Please run the commands with most verbose logging by adding the -v 10 flag.
Paste the logs into this report, or in a gist and provide the gist link here.
Not applicable
9. Anything else do we need to know?
Cilium has introducted a conditional application of - secrets permissions for default apiGroup. https://github.com/cilium/cilium/blob/cb92b9141687b282005464886510c9f55f843c4f/install/kubernetes/cilium/templates/cilium-agent/clusterrole.yaml#L90-L97
The same setting doesn't seem to be located in kops template.
Not sure if kops is doing something else under the hood regarding Cilium settings with its namespacing and TLS configurations , but should kOps handle this permission configuration for Cilium?