Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting owner-ref for pvc in sts results in error #20569

Closed
michalrabinowitch opened this issue Aug 8, 2018 · 3 comments
Closed

Setting owner-ref for pvc in sts results in error #20569

michalrabinowitch opened this issue Aug 8, 2018 · 3 comments

Comments

@michalrabinowitch
Copy link

[Setting owner-ref for pvc in sts results in error:
cannot set an ownerRef on a resource you can't delete: User "system:serviceaccount:kube-system:statefulset-controller" cannot delete persistentvolumeclaims in project "michal-test", ]

Version

[provide output of the openshift version or oc version command]

Steps To Reproduce
  1. Create a custom resource
  2. Add role and role binding with these permissions:
Rules:
  API Groups:

  Attribute Restrictions:  <nil>
  Resources:
    pods
  Verbs:
    get
    list
    patch
    update
    watch
  API Groups:

  Attribute Restrictions:  <nil>
  Resources:
    services
  Verbs:
    create
    delete
    get
    list
    patch
    update
    watch
Events:  <none>
  1. create stateful set with pvc and owner ref of the custom resource
Current Result

pods do not get created, pod-0 has an event:
create Claim test-0 for Pod test-0 in StatefulSet test failed error: persistentvolumeclaims "test-0" is forbidden: cannot set an ownerRef on a resource you can't delete: User "system:serviceaccount:kube-system:statefulset-controller" cannot delete persistentvolumeclaims in project "michal-test", <nil>

Expected Result

pods gets created, pvcs bound t pods. -> This exact flow works on GCP

Additional Information

[v3.9.33]
k8s source code that generates the error: https://github.com/kubernetes/kubernetes/blob/88c25ca2d957ed32b9d24b91880450560b0062c1/plugin/pkg/admission/gc/gc_admission.go#L116

question 1: should I configure something else for this to work?
question 2: why do I see different results for OpenShift and GKE ?
@enj
Copy link
Contributor

enj commented Aug 13, 2018

question 2: why do I see different results for OpenShift and GKE ?

I will assume your OpenShift API master is at v3.9.33. The OwnerReferencesPermissionEnforcement admission plugin was changed in v3.10 for OpenShift [1] and v1.11 for Kubernetes [2] to avoid the delete permissions check on create. So my guess would be that you are using an old enough version of OpenShift to hit this case, and a new enough version of Kubernetes to avoid it.

[1] #19404
[2] kubernetes/kubernetes#63403

question 1: should I configure something else for this to work?

Upgrade to v3.10.

I am going to close this. Feel free to reopen if you still encounter the issue on v3.10.

@enj enj closed this as completed Aug 13, 2018
@michalrabinowitch
Copy link
Author

@enj Oh but my GKE version is: 1.9.7-gke.5. could it be GKE does not use the admission plugin/ configures it different ?
I didn't know of OwnerReferencesPermissionEnforcement so already learned something new.
thanks

@enj
Copy link
Contributor

enj commented Aug 15, 2018

@michalrabinowitch ah yes, I believe GKE has OwnerReferencesPermissionEnforcement disabled by default, whereas OpenShift has it enabled by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@enj @michalrabinowitch