Cluster Autoscaler emits repeated warning events due to missing gitlab-registry imagePullSecret (from unpinned upstream manifest)

[elderapo]

Current behavior

When enabling the Cluster Autoscaler addon, a Kubernetes Warning event is emitted for the autoscaler pod:

Unable to retrieve some image pull secrets (gitlab-registry); attempting to pull the image may not succeed.

The autoscaler itself works, but it generates a high volume of warning events (over 600 within ~11 hours after deployment), creating significant noise in a default setup.

Why this happens

hetzner-k3s uses the upstream Hetzner CloudProvider example manifest from kubernetes/autoscaler:

That manifest currently contains:

imagePullSecrets:
  - name: gitlab-registry

The secret is not created by hetzner-k3s, and the autoscaler image
(registry.k8s.io/autoscaling/cluster-autoscaler) is public, so kubelet emits a Warning event.

This behavior was also mentioned in #581 (comment).

Upstream issue:
kubernetes/autoscaler#8976

Suggestion

To make the autoscaler deployment deterministic and avoid regressions from upstream changes, it would be preferable for hetzner-k3s to avoid consuming a raw manifest from another repository’s master branch.

Two possible approaches:

• Manage a locally versioned autoscaler manifest within hetzner-k3s
• Or wait for the upstream issue to be fixed and then pin to a specific known-good revision

Both approaches would:

• Ensure predictable behavior across deployments
• Avoid breakage from upstream changes unrelated to hetzner-k3s
• Make updates explicit and intentional

[vitobotta]

Hi, thanks for reporting this issue! I think that using local copies of all manifests - while still offering the option to specify custom manifests for those who know what they're doing - would be the best solution, so thanks for the suggestion. This can give me control, so in this case for example if the missing secret only generates noise I could simply remove it from the manifest. I'll make these changes after the holidays :)