Bug 1814728 - "oc create job --from=cronjob/hello hello-job" fails with "error: failed to create job: jobs.batch "hello-job" is forbidden: cannot set blockOwnerDeletion..."
Summary: "oc create job --from=cronjob/hello hello-job" fails with "error: failed to c...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.3.0
Hardware: All
OS: All
high
high
Target Milestone: ---
: 4.5.0
Assignee: Maciej Szulik
QA Contact: zhou ying
URL:
Whiteboard:
: 1815082 1829367 1873310 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-18 15:10 UTC by Sergey Yedrikov
Modified: 2024-03-25 15:45 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-13 17:22:38 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:23:02 UTC

Description Sergey Yedrikov 2020-03-18 15:10:56 UTC
Description of problem:
"oc create job --from=cronjob/hello hello-job" fails with "error: failed to create job: jobs.batch "hello-job" is forbidden: cannot set blockOwnerDeletion..."

This is an upstream kubectl bug. The issue is tracked as
https://github.com/kubernetes/kubectl/issues/842, the PR with the fix is at
https://github.com/kubernetes/kubernetes/pull/89194 .

Version-Release number of selected component (if applicable):

OCP 4.3

How reproducible:
Always

Steps to Reproduce:
1. Enable/check that it is enabled the OwnerReferencesPermissionEnforcement API server admission plugin. It should be enabled in OpenShift.

2. Create a CronJob, the one from the k8s docs will do:
```
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: hello
spec:
  schedule: "30 3 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: hello
            image: busybox
            args:
            - /bin/sh
            - -c
            - date; echo Hello from a CronJob
          restartPolicy: OnFailure
```

3. Run "oc create job --from=cronjob/hello hello-job":
```
$ oc create job --from=cronjob/hello hello-job
error: failed to create job: jobs.batch "hello-job" is forbidden: cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion apps/v1 Kind CronJob: no matches for kind "CronJob" in version "apps/v1"
$


Actual results:
```
error: failed to create job: jobs.batch "hello-job" is forbidden: cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion apps/v1 Kind CronJob: no matches for kind "CronJob" in version "apps/v1"
```

Expected results:
```
job.batch/hello-job created
```

Additional info:
The issue was discovered by the OCP Cluster Logging team.
"oc create job" is mentioned in the Cluster Logging docs as a way to manually trigger a Logging component Curator out of schedule:
https://docs.openshift.com/container-platform/4.3/logging/config/cluster-logging-curator.html#cluster-logging-curator-troubleshoot_cluster-logging-curator

Comment 1 Maciej Szulik 2020-03-18 17:05:44 UTC
Fix will be in https://github.com/kubernetes/kubernetes/pull/88646

Comment 2 Maciej Szulik 2020-03-20 09:22:04 UTC
*** Bug 1815082 has been marked as a duplicate of this bug. ***

Comment 6 Maciej Szulik 2020-05-08 17:31:55 UTC
*** Bug 1829367 has been marked as a duplicate of this bug. ***

Comment 7 Maciej Szulik 2020-05-08 18:14:29 UTC
Should be fixed in https://github.com/openshift/oc/pull/409

Comment 10 zhou ying 2020-05-09 03:07:21 UTC
[root@dhcp-140-138 ~]# oc get cronjob
NAME    SCHEDULE     SUSPEND   ACTIVE   LAST SCHEDULE   AGE
hello   30 3 * * *   False     0        <none>          89s

[root@dhcp-140-138 ~]# oc create job --from=cronjob/hello hello-job
job.batch/hello-job created

[root@dhcp-140-138 ~]# oc get job
NAME        COMPLETIONS   DURATION   AGE
hello-job   1/1           13s        61s

[root@dhcp-140-138 ~]# oc get po 
NAME              READY   STATUS      RESTARTS   AGE
hello-job-762kn   0/1     Completed   0          76s


[root@dhcp-140-138 ~]# oc version -o yaml 
clientVersion:
  buildDate: "2020-05-07T22:03:52Z"
  compiler: gc
  gitCommit: f415627b3a8df305c4dd0ada0b4bc1271846a777
  gitTreeState: clean
  gitVersion: 4.5.0-202005072157-f415627
  goVersion: go1.13.4
  major: ""
  minor: ""
  platform: linux/amd64

Comment 11 Sergio G. 2020-07-08 10:37:01 UTC
For whoever who is waiting for this fix to be released, I confirmed in OpenShift 4.4.11 that it doesn't fail anymore.

So, in some way this is already fixed (I'm not sure which is the version which fixes it) but the bugzilla is pending to be updated.

Comment 12 Sergio G. 2020-07-08 10:39:49 UTC
It doesn't fail in 4.3.19 neither so it was backported also.

@Maciej, please can you update the bugzilla properly so we can see which is the version which fixes the issue and which errata included it?

Comment 13 Maciej Szulik 2020-07-09 08:34:31 UTC
Sergio it was a regression related with a different fix, which linked the newly created job with the parent cronjob introduced in 4.5,
so only 4.5 was affected. Previous version (4.4 and 4.3) did not have that problem. So the version set is correct.

Comment 15 errata-xmlrpc 2020-07-13 17:22:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409

Comment 20 Scott Worthington 2020-08-27 19:39:49 UTC
I just tried the following with the 4.4.19 oc client.

$ oc version
Client Version: 4.4.19
Server Version: 4.4.9
Kubernetes Version: v1.17.1+912792b

$ oc create job --from=cronjob/image-pruner my-image-pruner
error: failed to create job: jobs.batch "my-image-pruner" is forbidden: cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion apps/v1 Kind CronJob: no matches for kind "CronJob" in version "apps/v1"

This comment says it was fixed in 4.4.11...

https://bugzilla.redhat.com/show_bug.cgi?id=1814728#c11

I attempted it again with...

$ oc version
Client Version: 4.5.7
Server Version: 4.4.9
Kubernetes Version: v1.17.1+912792b

$ oc create job --from=cronjob/image-pruner new-image-pruner
job.batch/new-image-pruner created

How do we know which 'oc' client has the fix?

Comment 21 RamaKasturi 2020-08-28 05:04:25 UTC
Hi Scott,

   Below is what works with respect to cronjob.

1) Regular & admin users can create cronjob in 4.6+
2) Only Admin users can create cronjob in 4.5
3) 4.4 & lower cannot create cronjob via admin or normal user.

Hope that helps !!

Comment 22 Maciej Szulik 2020-08-28 09:37:07 UTC
*** Bug 1873310 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.