Taint operation forbidden on node


#1

I came across this issue where I can’t seem to taint a node while on the node itself. I was running:

[ec2-user@ip-... ~]$ kubectl taint node $(hostname) state=goodbye:NoExecute
Error from server (Forbidden): nodes "ip-....us-west-2.compute.internal" is forbidden: cannot modify taints

Is this intended behavior or am I missing something perhaps RBAC related? I was able to taint the node when on my local machine via kubectl though.

Any help would be appreciated! Thanks! :slight_smile:


#2

Might be auth related. You can run kubectl auth can-i edit nodes or kubectl auth can-i taint nodes for example to find out if you have access.


#3

Ah, so both of those are “no” when I run it on the node.

Do you have pointers on how to give permissions to nodes to edit themselves (I believe I am using RBAC but I’m pretty new) or is that a bad idea in terms of security?


#4

I would be hesitant to having a full user on any of the Nodes, I would limit even having kubectl on a node if possible. I would stick to running kubectl on a non-node machine.


#5

Gotcha. Thanks!