Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1912640

Summary: Go operator's controller pods is forbidden
Product: OpenShift Container Platform Reporter: Fan Jia <jfan>
Component: Operator SDKAssignee: Rashmi Gottipati <rgottipa>
Status: CLOSED ERRATA QA Contact: Fan Jia <jfan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.7CC: aos-bugs, chuo, jesusr, jiazha
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1914406 (view as bug list) Environment:
Last Closed: 2021-02-24 15:49:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Fan Jia 2021-01-06 06:59:28 UTC 
The rbac problem , should be added to the release doc. Will open a new bug if it is missed in the release doc. https://sdk.operatorframework.io/docs/faqs/#i-keep-hitting-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on-how-do-i-fix-this
Comment 2 Fan Jia 2021-01-06 09:59:14 UTC 
Add rbac can't fix this problem by doc: https://sdk.operatorframework.io/docs/faqs/#i-keep-hitting-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on-how-do-i-fix-this
This proble is caused by the "scc RunAsUser policy :MustRunAsRange", so the default RunAsUser:65532 can't meet the request. Should delete the RunAsUser:65532 from the default generate files:"./config/manager/manager.yaml" and "Dockerfile".
Comment 3 Jesus M. Rodriguez 2021-01-07 15:47:48 UTC 
This bugzilla looks identical to this github issue https://github.com/operator-framework/operator-sdk/issues/4364
Comment 4 Rashmi Gottipati 2021-01-08 19:07:52 UTC 
For Go operators to run on OCP, QE must replace `runAsUser: 65532` with `runAsNonRoot: true` in the `config/manager/manager.yaml` file shown as below: 

```yaml
 spec:
       securityContext:
         runAsNonRoot: true 
 ```

There is now a documentation bug - https://bugzilla.redhat.com/show_bug.cgi?id=1914406, to document this change. 
This will also be addressed in the upstream docs as well.
Comment 5 Fan Jia 2021-01-11 11:45:58 UTC 
Test padd after deleting the RunAsUser:65532 from the default generate files:"./config/manager/manager.yaml" and "Dockerfile".
Comment 6 Rashmi Gottipati 2021-01-14 01:19:55 UTC 
Thanks for confirming Jia Fan.
Comment 9 errata-xmlrpc 2021-02-24 15:49:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633