build webhook pod reports "webhook.build.knative.dev" is forbidden: cannot set blockOwnerDeletion"
cmoulliard opened this issue · comments
Charles Moulliard commented
Expected Behavior
Knative build pod should start without error
Actual Behavior
When the Knative build of webhoek starts then it generates this error
{"level":"error","logger":"webhook","caller":"webhook/webhook.go:294","msg":"Failed to register webhook{error 25 0 Failed to create a webhook:
mutatingwebhookconfigurations.admissionregistration.k8s.io \"webhook.build.knative.dev\" is
forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set
finalizers on: no RBAC policy matched,
<nil>}","knative.dev/controller":"webhook","stacktrace":"github.com/knative/build/vendor/github.com/knative/pkg/webhook.
(*AdmissionController).Run\n\t/usr/local/google/home/mattmoor/go/src/github.com/knative/build/vendor/github.com/knative/pkg/webhook/webhook.go:294\nmain.main\n\t/usr/local/google/home/mattmoor/go/src/github.com/knative/build/cmd/webhook/main.go:92\nruntime.main\n\t/usr/lib/google-golang/src/runtime/proc.go:201"}
Steps to Reproduce the Problem
- oc new-project knative-build
- oc create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=admin
- oc apply -f https://github.com/knative/build/releases/download/v0.2.0/release.yaml
Additional Info
Version used: k8s 1.11, openshift 3.11
Knative Build release: 0.2.0
Charles Moulliard commented
Workaround is to edit the clusterrole generated and add the following missing rule
- apiGroups:
- extensions
resources:
- deployments/finalizers
verbs:
- get
- list
- create
- update
Charles Moulliard commented
The webhook pod is starting but is now reporting such error now
{"level":"info","caller":"logging/config.go:85","msg":"Logging level set to info"}
--
| {"level":"info","logger":"webhook","caller":"webhook/main.go:57","msg":"Starting the Configuration Webhook","knative.dev/controller":"webhook"}
| {"level":"info","logger":"webhook","caller":"webhook/webhook.go:276","msg":"Found certificates for webhook...","knative.dev/controller":"webhook"}
| {"level":"info","logger":"webhook","caller":"webhook/webhook.go:386","msg":"Webhook already exists","knative.dev/controller":"webhook"}
| {"level":"info","logger":"webhook","caller":"webhook/webhook.go:392","msg":"Updating webhook","knative.dev/controller":"webhook"}
| {"level":"info","logger":"webhook","caller":"webhook/webhook.go:297","msg":"Successfully registered webhook","knative.dev/controller":"webhook"}
| {"level":"error","logger":"webhook","caller":"webhook/webhook.go:305","msg":"ListenAndServeTLS for admission webhook returned error{error 25 0 listen tcp :443: bind: permission denied}","knative.dev/controller":"webhook","stacktrace":"github.com/knative/build/vendor/github.com/knative/pkg/webhook.(*AdmissionController).Run.func1\n\t/usr/local/google/home/mattmoor/go/src/github.com/knative/build/vendor/github.com/knative/pkg/webhook/webhook.go:305"}
Charles Moulliard commented
When a build is created, then the serviceaccount used by the build's pod created by the operator populates the same error
message: 'pods "simple-app-64f24-r9sgt" is forbidden: cannot set blockOwnerDeletion
if an ownerReference refers to a resource you can''t set finalizers on: no RBAC
policy matched, <nil>'