PREQUEL-2025-0079
AWS Cluster Autoscaler Access DeniedMediumImpact: 3/10Mitigation: 3/10
Description
**Cluster Autoscaler** tries to fetch node-group metadata to decide\nwhether it can scale a workload-affinityed pod. \nThe call to the EKS control plane fails with\n\n```\nFailed to get labels from EKS DescribeNodegroup API for nodegroup <name>\n… AccessDeniedException: User <ARN> is not authorized to perform:\neks:DescribeNodegroup on resource: arn:aws:eks:<region>:<acct>:nodegroup/…\n```\n\nOnce the error is hit the Autoscaler marks the node-group\n**Not-Ready for scaling actions**, so pending pods remain unscheduled\nand scale-down decisions are skipped.\n
Mitigation
1. **Attach or update the recommended policy**\n\n ```bash\n aws iam create-policy --policy-name AmazonEKSClusterAutoscalerPolicy \\\n --policy-document file://cluster-autoscaler-iam.json # see docs\n aws iam attach-role-policy --role-name cluster-autoscaler \\\n --policy-arn arn:aws:iam::<acct>:policy/AmazonEKSClusterAutoscalerPolicy\n ```\n The JSON must include:\n ```json\n {\n \"Action\": [\"eks:DescribeNodegroup\", \"eks:DescribeCluster\", …],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ```\n\n2. **Verify IRSA mapping**\n\n ```bash\n kubectl -n kube-system annotate sa cluster-autoscaler \\\n eks.amazonaws.com/role-arn=arn:aws:iam::<acct>:role/cluster-autoscaler --overwrite\n ```\n\n3. **Roll the Deployment**\n\n ```bash\n kubectl rollout restart deployment/cluster-autoscaler -n kube-system\n ```\n\n4. **Test**: watch logs until you see\n `Successfully described nodegroup …` and confirm Pending pods\n begin to schedule.\n