Bug 1814728

Summary: "oc create job --from=cronjob/hello hello-job" fails with "error: failed to create job: jobs.batch "hello-job" is forbidden: cannot set blockOwnerDeletion..."
Product: OpenShift Container Platform Reporter: Sergey Yedrikov <syedriko>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED ERRATA QA Contact: zhou ying <yinzhou>
Severity: high Docs Contact:
Priority: high    
Version: 4.3.0CC: aivaras.laimikis, aos-bugs, christoph.obexer, dkulkarn, eparis, jnaess, jokerman, jrosenta, knarra, ksathe, maszulik, mfojtik, mharri, ocasalsa, palshure, rabdulra, scott.c.worthington, scott.worthington, sgarciam, sparpate
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:22:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sergey Yedrikov 2020-03-18 15:10:56 UTC 
Description of problem:
"oc create job --from=cronjob/hello hello-job" fails with "error: failed to create job: jobs.batch "hello-job" is forbidden: cannot set blockOwnerDeletion..."

This is an upstream kubectl bug. The issue is tracked as
https://github.com/kubernetes/kubectl/issues/842, the PR with the fix is at
https://github.com/kubernetes/kubernetes/pull/89194 .

Version-Release number of selected component (if applicable):

OCP 4.3

How reproducible:
Always

Steps to Reproduce:
1. Enable/check that it is enabled the OwnerReferencesPermissionEnforcement API server admission plugin. It should be enabled in OpenShift.

2. Create a CronJob, the one from the k8s docs will do:
```
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: hello
spec:
  schedule: "30 3 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: hello
            image: busybox
            args:
            - /bin/sh
            - -c
            - date; echo Hello from a CronJob
          restartPolicy: OnFailure
```

3. Run "oc create job --from=cronjob/hello hello-job":
```
$ oc create job --from=cronjob/hello hello-job
error: failed to create job: jobs.batch "hello-job" is forbidden: cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion apps/v1 Kind CronJob: no matches for kind "CronJob" in version "apps/v1"
$


Actual results:
```
error: failed to create job: jobs.batch "hello-job" is forbidden: cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion apps/v1 Kind CronJob: no matches for kind "CronJob" in version "apps/v1"
```

Expected results:
```
job.batch/hello-job created
```

Additional info:
The issue was discovered by the OCP Cluster Logging team.
"oc create job" is mentioned in the Cluster Logging docs as a way to manually trigger a Logging component Curator out of schedule:
https://docs.openshift.com/container-platform/4.3/logging/config/cluster-logging-curator.html#cluster-logging-curator-troubleshoot_cluster-logging-curator
Comment 1 Maciej Szulik 2020-03-18 17:05:44 UTC 
Fix will be in https://github.com/kubernetes/kubernetes/pull/88646
Comment 2 Maciej Szulik 2020-03-20 09:22:04 UTC 
*** Bug 1815082 has been marked as a duplicate of this bug. ***
Comment 6 Maciej Szulik 2020-05-08 17:31:55 UTC 
*** Bug 1829367 has been marked as a duplicate of this bug. ***
Comment 7 Maciej Szulik 2020-05-08 18:14:29 UTC 
Should be fixed in https://github.com/openshift/oc/pull/409
Comment 10 zhou ying 2020-05-09 03:07:21 UTC 
[root@dhcp-140-138 ~]# oc get cronjob
NAME    SCHEDULE     SUSPEND   ACTIVE   LAST SCHEDULE   AGE
hello   30 3 * * *   False     0        <none>          89s

[root@dhcp-140-138 ~]# oc create job --from=cronjob/hello hello-job
job.batch/hello-job created

[root@dhcp-140-138 ~]# oc get job
NAME        COMPLETIONS   DURATION   AGE
hello-job   1/1           13s        61s

[root@dhcp-140-138 ~]# oc get po 
NAME              READY   STATUS      RESTARTS   AGE
hello-job-762kn   0/1     Completed   0          76s


[root@dhcp-140-138 ~]# oc version -o yaml 
clientVersion:
  buildDate: "2020-05-07T22:03:52Z"
  compiler: gc
  gitCommit: f415627b3a8df305c4dd0ada0b4bc1271846a777
  gitTreeState: clean
  gitVersion: 4.5.0-202005072157-f415627
  goVersion: go1.13.4
  major: ""
  minor: ""
  platform: linux/amd64
Comment 11 Sergio G. 2020-07-08 10:37:01 UTC 
For whoever who is waiting for this fix to be released, I confirmed in OpenShift 4.4.11 that it doesn't fail anymore.

So, in some way this is already fixed (I'm not sure which is the version which fixes it) but the bugzilla is pending to be updated.
Comment 12 Sergio G. 2020-07-08 10:39:49 UTC 
It doesn't fail in 4.3.19 neither so it was backported also.

@Maciej, please can you update the bugzilla properly so we can see which is the version which fixes the issue and which errata included it?
Comment 13 Maciej Szulik 2020-07-09 08:34:31 UTC 
Sergio it was a regression related with a different fix, which linked the newly created job with the parent cronjob introduced in 4.5,
so only 4.5 was affected. Previous version (4.4 and 4.3) did not have that problem. So the version set is correct.
Comment 15 errata-xmlrpc 2020-07-13 17:22:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409
Comment 20 Scott Worthington 2020-08-27 19:39:49 UTC 
I just tried the following with the 4.4.19 oc client.

$ oc version
Client Version: 4.4.19
Server Version: 4.4.9
Kubernetes Version: v1.17.1+912792b

$ oc create job --from=cronjob/image-pruner my-image-pruner
error: failed to create job: jobs.batch "my-image-pruner" is forbidden: cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion apps/v1 Kind CronJob: no matches for kind "CronJob" in version "apps/v1"

This comment says it was fixed in 4.4.11...

https://bugzilla.redhat.com/show_bug.cgi?id=1814728#c11

I attempted it again with...

$ oc version
Client Version: 4.5.7
Server Version: 4.4.9
Kubernetes Version: v1.17.1+912792b

$ oc create job --from=cronjob/image-pruner new-image-pruner
job.batch/new-image-pruner created

How do we know which 'oc' client has the fix?
Comment 21 RamaKasturi 2020-08-28 05:04:25 UTC 
Hi Scott,

   Below is what works with respect to cronjob.

1) Regular & admin users can create cronjob in 4.6+
2) Only Admin users can create cronjob in 4.5
3) 4.4 & lower cannot create cronjob via admin or normal user.

Hope that helps !!
Comment 22 Maciej Szulik 2020-08-28 09:37:07 UTC 
*** Bug 1873310 has been marked as a duplicate of this bug. ***