Skip to content
This repository has been archived by the owner on Sep 5, 2019. It is now read-only.

build webhook pod reports "webhook.build.knative.dev" is forbidden: cannot set blockOwnerDeletion" #523

Open
cmoulliard opened this issue Jan 8, 2019 · 3 comments

Comments

@cmoulliard
Copy link

Expected Behavior

Knative build pod should start without error

Actual Behavior

When the Knative build of webhoek starts then it generates this error

{"level":"error","logger":"webhook","caller":"webhook/webhook.go:294","msg":"Failed to register webhook{error 25 0  Failed to create a webhook: 
mutatingwebhookconfigurations.admissionregistration.k8s.io \"webhook.build.knative.dev\" is 
forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set 
finalizers on: no RBAC policy matched, 
<nil>}","knative.dev/controller":"webhook","stacktrace":"github.com/knative/build/vendor/github.com/knative/pkg/webhook.
(*AdmissionController).Run\n\t/usr/local/google/home/mattmoor/go/src/github.com/knative/build/vendor/github.com/knative/pkg/webhook/webhook.go:294\nmain.main\n\t/usr/local/google/home/mattmoor/go/src/github.com/knative/build/cmd/webhook/main.go:92\nruntime.main\n\t/usr/lib/google-golang/src/runtime/proc.go:201"}

Steps to Reproduce the Problem

  1. oc new-project knative-build
  2. oc create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=admin
  3. oc apply -f https://github.com/knative/build/releases/download/v0.2.0/release.yaml

Additional Info

Version used: k8s 1.11, openshift 3.11
Knative Build release: 0.2.0

@cmoulliard
Copy link
Author

Workaround is to edit the clusterrole generated and add the following missing rule

- apiGroups:
  - extensions
  resources:
  - deployments/finalizers
  verbs:
  - get
  - list
  - create
  - update 

@cmoulliard
Copy link
Author

The webhook pod is starting but is now reporting such error now

{"level":"info","caller":"logging/config.go:85","msg":"Logging level set to info"}
--
  | {"level":"info","logger":"webhook","caller":"webhook/main.go:57","msg":"Starting the Configuration Webhook","knative.dev/controller":"webhook"}
  | {"level":"info","logger":"webhook","caller":"webhook/webhook.go:276","msg":"Found certificates for webhook...","knative.dev/controller":"webhook"}
  | {"level":"info","logger":"webhook","caller":"webhook/webhook.go:386","msg":"Webhook already exists","knative.dev/controller":"webhook"}
  | {"level":"info","logger":"webhook","caller":"webhook/webhook.go:392","msg":"Updating webhook","knative.dev/controller":"webhook"}
  | {"level":"info","logger":"webhook","caller":"webhook/webhook.go:297","msg":"Successfully registered webhook","knative.dev/controller":"webhook"}
  | {"level":"error","logger":"webhook","caller":"webhook/webhook.go:305","msg":"ListenAndServeTLS for admission webhook returned error{error 25 0  listen tcp :443: bind: permission denied}","knative.dev/controller":"webhook","stacktrace":"github.com/knative/build/vendor/github.com/knative/pkg/webhook.(*AdmissionController).Run.func1\n\t/usr/local/google/home/mattmoor/go/src/github.com/knative/build/vendor/github.com/knative/pkg/webhook/webhook.go:305"}


@cmoulliard
Copy link
Author

When a build is created, then the serviceaccount used by the build's pod created by the operator populates the same error

message: 'pods "simple-app-64f24-r9sgt" is forbidden: cannot set blockOwnerDeletion
      if an ownerReference refers to a resource you can''t set finalizers on: no RBAC
      policy matched, <nil>'

hrishin added a commit to hrishin/tekton-pipeline that referenced this issue Mar 5, 2019
When `taskruns` or  `pipelineruns` instance is created, build pod creation
fails with following error `tekton-pipelines-controller` service account.

```
'pods "hello-task-64f24-r9sgt" is forbidden: cannot set blockOwnerDeletion
if an ownerReference refers to a resource you can't set finalizers on: no RBAC
policy matched, <nil>'
```

This patch fixes the required permission for `tekton-pipelines-admin` role,
so controller could set required metadata on build pod.

Fixes
 - knative/build#523
knative-prow-robot pushed a commit to tektoncd/pipeline that referenced this issue Mar 6, 2019
When `taskruns` or  `pipelineruns` instance is created, build pod creation
fails with following error `tekton-pipelines-controller` service account.

```
'pods "hello-task-64f24-r9sgt" is forbidden: cannot set blockOwnerDeletion
if an ownerReference refers to a resource you can't set finalizers on: no RBAC
policy matched, <nil>'
```

This patch fixes the required permission for `tekton-pipelines-admin` role,
so controller could set required metadata on build pod.

Fixes
 - knative/build#523
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant