https://rancher.com/ logo
Title
b

bland-area-30120

01/25/2023, 4:35 PM
Hello, We had an issue today after replacing a managed node group, rancher decided to delete the new node group, and a few more we added manually. Looking at the permissions we've given rancher now I see a lot of uneccesary things, like in our case "eks:DeleteNodegroup" We're not using rancher to provision the clusters, they're created elsewhere and then imported. Do we really need all the permissions listed here? https://ranchermanager.docs.rancher.com/v2.5/reference-guides/amazon-eks-permissions/minimum-eks-permissions
the issue was resolved by removing the cluster from rancher and adding it again. we still don't know why this happened
c

careful-piano-35019

01/26/2023, 9:33 AM
did you import initially the cluster in an earlier version of Rancher ?
b

bland-area-30120

01/26/2023, 9:36 AM
yes, we've updated rancher quite a few times after we imported the cluster initially
there are also a few other clusters we've done the same procedure with in the last 2 weeks without issues. at least one of them is older then the cluster that had the problem yesterday
c

careful-piano-35019

01/26/2023, 10:25 AM
ok, I was thinking out loud. Hard to say without a way to reproduce.
b

bland-area-30120

01/26/2023, 10:27 AM
understood. Any thoughts on removing permissions I don't want rancher to have?
c

careful-piano-35019

01/26/2023, 10:29 AM
yes that includes permissions to enable full cluster management and provisionning
it may work with less, but mostly tests are with those profiles
b

bland-area-30120

01/26/2023, 10:30 AM
ok, I'll try to test this myself. Mostly thinking about removing delete permissions