Bug 1767806
Summary: | Jenkins service account permission error after upgraded kubernetes plugin to 1.19.2 in jenkins | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Abhishek <aabhishe> | |
Component: | Jenkins | Assignee: | Akram Ben Aissi <abenaiss> | |
Status: | CLOSED ERRATA | QA Contact: | Jitendar Singh <jitsingh> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 4.1.z | CC: | abenaiss, aos-bugs, ckoep, pbhattac, rludva, scphantm, scuppett, vbobade | |
Target Milestone: | --- | |||
Target Release: | 4.5.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1843941 (view as bug list) | Environment: | ||
Last Closed: | 2020-07-13 17:12:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1843945, 1846957 |
Description
Abhishek
2019-11-01 13:08:18 UTC
Hi Abishek, the current release of the Jenkins image uses kubernetes plugin 1.18.2 and we do not plan to migrate immediately unless there a security issue with this version. Could you elaborate on the root problem? and see why you require 1.19.2 ? Hi Akram, Abishek, the reason why one might want to use the Kubernetes plugin in version >1.19.2 is the "dynamic pvc workspace volume" feature. [1] This feature is currently not usable, because the Jenkins ServiceAccount is configured to have the `edit` ClusterRole if I remember correctly. That being said, the Plugin tries to create PVCs like so: [2] ~~~ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: test ownerReferences: - apiVersion: v1 kind: Pod blockOwnerDeletion: true controller: true name: foo uid: bar spec: accessModes: - ReadWriteMany resources: requests: storage: 50Gi storageClassName: glusterfs-storage ~~~ Which fails with an error message along the lines of: ~~~ Error from server (Forbidden): error when creating "pvc.yaml": persistentvolumeclaims "test" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil> ~~~ So I suppose the fix for this issue would be to add the correct permissions to the `ServiceAccount`, which I was unable to do so far. Here is what I tried to add: rules: - apiGroups: ["extensions"] resources: ["deployments/finalizers"] verbs: ["update"] and - apiGroups: ["extensions"] resources: ["pods/finalizers"] verbs: ["update"] However, none of the above apparently does the trick. Any hints would be appreciated. Kind regards, Christian --- [1] - https://github.com/jenkinsci/kubernetes-plugin/pull/600 [2] - https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace/DynamicPVCWorkspaceVolume.java#L77-L99 I just encountered this exact thing with openshift 3.11 and plugin 1.19.3. exactly the same issue. Targeting 4.4.0 for investigation on the current master branch. Hello Abhishek, Can you try creating the ClusterRole below and binding it to the Jenkins Service Account with the command in a similar fashion after that ------------------------------------------------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: finalizer-role labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["*"] resources: ["pods/finalizers","deployments/finalizers","persistentvolumeclaims/finalizers","persistentvolumes/finalizers"] verbs: ["*"] ------------------------------------------------- $ oc create rolebinding jenkins_finalizer --clusterrole=finalizer-role --serviceaccount=jenkins-test:jenkins ------------------------------------------------- I noticed that you have given the finalizer config only on the pods and not the pvc, whereas the error is happening at the PVC level. Let me know if the above works. Regards, Vibhav Bobade We do not plan to upgrade kubernetes plugin to 1.19.3 yet. So we are posptoning this one to 4.5. verfied *** Bug 1839322 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |