Description of problem:Jenkins service account permission issue after upgraded kubernetes plugin to 1.19.2 in jenkins io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://172.30.0.1/api/v1/namespaces/<test>/persistentvolumeclaims. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. persistentvolumeclaims "pvc-maven-7xv1q" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>. Do we have any tested integration document for plugin vs openshift/jenkins? Openshift version: 4.1.18
Hi Abishek, the current release of the Jenkins image uses kubernetes plugin 1.18.2 and we do not plan to migrate immediately unless there a security issue with this version. Could you elaborate on the root problem? and see why you require 1.19.2 ?
Hi Akram, Abishek, the reason why one might want to use the Kubernetes plugin in version >1.19.2 is the "dynamic pvc workspace volume" feature. [1] This feature is currently not usable, because the Jenkins ServiceAccount is configured to have the `edit` ClusterRole if I remember correctly. That being said, the Plugin tries to create PVCs like so: [2] ~~~ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: test ownerReferences: - apiVersion: v1 kind: Pod blockOwnerDeletion: true controller: true name: foo uid: bar spec: accessModes: - ReadWriteMany resources: requests: storage: 50Gi storageClassName: glusterfs-storage ~~~ Which fails with an error message along the lines of: ~~~ Error from server (Forbidden): error when creating "pvc.yaml": persistentvolumeclaims "test" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched, <nil> ~~~ So I suppose the fix for this issue would be to add the correct permissions to the `ServiceAccount`, which I was unable to do so far. Here is what I tried to add: rules: - apiGroups: ["extensions"] resources: ["deployments/finalizers"] verbs: ["update"] and - apiGroups: ["extensions"] resources: ["pods/finalizers"] verbs: ["update"] However, none of the above apparently does the trick. Any hints would be appreciated. Kind regards, Christian --- [1] - https://github.com/jenkinsci/kubernetes-plugin/pull/600 [2] - https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace/DynamicPVCWorkspaceVolume.java#L77-L99
I just encountered this exact thing with openshift 3.11 and plugin 1.19.3. exactly the same issue.
Targeting 4.4.0 for investigation on the current master branch.
Hello Abhishek, Can you try creating the ClusterRole below and binding it to the Jenkins Service Account with the command in a similar fashion after that ------------------------------------------------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: finalizer-role labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["*"] resources: ["pods/finalizers","deployments/finalizers","persistentvolumeclaims/finalizers","persistentvolumes/finalizers"] verbs: ["*"] ------------------------------------------------- $ oc create rolebinding jenkins_finalizer --clusterrole=finalizer-role --serviceaccount=jenkins-test:jenkins ------------------------------------------------- I noticed that you have given the finalizer config only on the pods and not the pvc, whereas the error is happening at the PVC level. Let me know if the above works. Regards, Vibhav Bobade
We do not plan to upgrade kubernetes plugin to 1.19.3 yet. So we are posptoning this one to 4.5.
verfied
*** Bug 1839322 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409