calico pod 크러시

현상

app-1-2-2-1 pod를 삭제 하려 했음
아래와 같은 에러 로그 발생

Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "8c7acbb9641d544561e28630408410f79047597359323295af1ce407f5857786": plugin type="calico" failed (add): error getting ClusterInformation: connection is unauthorized: Unauthorized
error killing pod: failed to "KillPodSandbox" for "139398dd-750a-481f-a4a5-637fba585ffd" with KillPodSandboxError: "rpc error: code = Unknown desc = failed to destroy network for sandbox \\"8c7acbb9641d544561e28630408410f79047597359323295af1ce407f5857786\\": plugin type=\\"calico\\" failed (delete): error getting ClusterInformation: connection is unauthorized: Unauthorized"

kubectl get pod -A 로 확인시 calico 크러시 발생

kubectl -n kube-system logs calico-node-cl24b -c install-cni


W0706 07:18:34.468818       1 client_config.go:617] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
2025-07-06 07:18:34.480 [ERROR][1] cni-installer/<nil> <nil>: Unable to create token for CNI kubeconfig error=serviceaccounts "calico-node" is forbidden: User "system:serviceaccount:kube-system:calico-node" cannot create resource "serviceaccounts/token" in API group "" in the namespace "kube-system"
2025-07-06 07:18:34.480 [FATAL][1] cni-installer/<nil> <nil>: Unable to create token for CNI kubeconfig error=serviceaccounts "calico-node" is forbidden: User "system:serviceaccount:kube-system:calico-node" cannot create resource "serviceaccounts/token" in API group "" in the namespace "kube-system"

Calico의 install-cni 컨테이너가 CNI용 kubeconfig 토큰을 만들려고 할 때, calico-node ServiceAccount가 serviceaccounts/token 리소스를 생성할 권한이 없어서 거부

해결 방안

calico-node에 필요한 권한 부여(ClusterRoleBinding 생성)

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: calico-node-token-creator
rules:
- apiGroups: [""]
  resources: ["serviceaccounts/token"]
  verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: calico-node-token-creator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: calico-node-token-creator
subjects:
- kind: ServiceAccount
  name: calico-node
  namespace: kube-system
EOF

Pod 삭제 후 재생성

권한 적용 후, 문제 되는 Pod을 재시작하세요: