build webhook pod reports "webhook.build.knative.dev" is forbidden: cannot set blockOwnerDeletion"

Question

build webhook pod reports "webhook.build.knative.dev" is forbidden: cannot set blockOwnerDeletion"

cmoulliard opened this issue 5 years ago · comments

Charles Moulliard commented 5 years ago

Expected Behavior

Knative build pod should start without error

Actual Behavior

When the Knative build of webhoek starts then it generates this error

{"level":"error","logger":"webhook","caller":"webhook/webhook.go:294","msg":"Failed to register webhook{error 25 0  Failed to create a webhook: 
mutatingwebhookconfigurations.admissionregistration.k8s.io \"webhook.build.knative.dev\" is 
forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set 
finalizers on: no RBAC policy matched, 
<nil>}","knative.dev/controller":"webhook","stacktrace":"github.com/knative/build/vendor/github.com/knative/pkg/webhook.
(*AdmissionController).Run\n\t/usr/local/google/home/mattmoor/go/src/github.com/knative/build/vendor/github.com/knative/pkg/webhook/webhook.go:294\nmain.main\n\t/usr/local/google/home/mattmoor/go/src/github.com/knative/build/cmd/webhook/main.go:92\nruntime.main\n\t/usr/lib/google-golang/src/runtime/proc.go:201"}

Steps to Reproduce the Problem

oc new-project knative-build
oc create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=admin
oc apply -f https://github.com/knative/build/releases/download/v0.2.0/release.yaml

Additional Info

Version used: k8s 1.11, openshift 3.11
Knative Build release: 0.2.0

Charles Moulliard · Answer 1 · Tue Jan 08 2019 12:24:50 GMT+0800 (China Standard Time)

Workaround is to edit the clusterrole generated and add the following missing rule

- apiGroups:
  - extensions
  resources:
  - deployments/finalizers
  verbs:
  - get
  - list
  - create
  - update

Charles Moulliard · Answer 2 · Tue Jan 08 2019 12:56:10 GMT+0800 (China Standard Time)

The webhook pod is starting but is now reporting such error now

{"level":"info","caller":"logging/config.go:85","msg":"Logging level set to info"}
--
  | {"level":"info","logger":"webhook","caller":"webhook/main.go:57","msg":"Starting the Configuration Webhook","knative.dev/controller":"webhook"}
  | {"level":"info","logger":"webhook","caller":"webhook/webhook.go:276","msg":"Found certificates for webhook...","knative.dev/controller":"webhook"}
  | {"level":"info","logger":"webhook","caller":"webhook/webhook.go:386","msg":"Webhook already exists","knative.dev/controller":"webhook"}
  | {"level":"info","logger":"webhook","caller":"webhook/webhook.go:392","msg":"Updating webhook","knative.dev/controller":"webhook"}
  | {"level":"info","logger":"webhook","caller":"webhook/webhook.go:297","msg":"Successfully registered webhook","knative.dev/controller":"webhook"}
  | {"level":"error","logger":"webhook","caller":"webhook/webhook.go:305","msg":"ListenAndServeTLS for admission webhook returned error{error 25 0  listen tcp :443: bind: permission denied}","knative.dev/controller":"webhook","stacktrace":"github.com/knative/build/vendor/github.com/knative/pkg/webhook.(*AdmissionController).Run.func1\n\t/usr/local/google/home/mattmoor/go/src/github.com/knative/build/vendor/github.com/knative/pkg/webhook/webhook.go:305"}

Charles Moulliard · Answer 3 · Tue Jan 08 2019 13:42:27 GMT+0800 (China Standard Time)

When a build is created, then the serviceaccount used by the build's pod created by the operator populates the same error

message: 'pods "simple-app-64f24-r9sgt" is forbidden: cannot set blockOwnerDeletion
      if an ownerReference refers to a resource you can''t set finalizers on: no RBAC
      policy matched, <nil>'