1912640 – Go operator's controller pods is forbidden

Bug 1912640 - Go operator's controller pods is forbidden

Summary: Go operator's controller pods is forbidden

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Operator SDK
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Rashmi Gottipati
QA Contact:	Fan Jia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-05 02:59 UTC by Fan Jia
Modified:	2021-02-24 15:50 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1914406 (view as bug list)
Environment:
Last Closed:	2021-02-24 15:49:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:5633	0	None	None	None	2021-02-24 15:50:10 UTC

Comment 1 Fan Jia 2021-01-06 06:59:28 UTC

The rbac problem , should be added to the release doc. Will open a new bug if it is missed in the release doc. https://sdk.operatorframework.io/docs/faqs/#i-keep-hitting-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on-how-do-i-fix-this

Comment 2 Fan Jia 2021-01-06 09:59:14 UTC

Add rbac can't fix this problem by doc: https://sdk.operatorframework.io/docs/faqs/#i-keep-hitting-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on-how-do-i-fix-this
This proble is caused by the "scc RunAsUser policy :MustRunAsRange", so the default RunAsUser:65532 can't meet the request. Should delete the RunAsUser:65532 from the default generate files:"./config/manager/manager.yaml" and "Dockerfile".

Comment 3 Jesus M. Rodriguez 2021-01-07 15:47:48 UTC

This bugzilla looks identical to this github issue https://github.com/operator-framework/operator-sdk/issues/4364

Comment 4 Rashmi Gottipati 2021-01-08 19:07:52 UTC

For Go operators to run on OCP, QE must replace `runAsUser: 65532` with `runAsNonRoot: true` in the `config/manager/manager.yaml` file shown as below: 

```yaml
 spec:
       securityContext:
         runAsNonRoot: true 
 ```

There is now a documentation bug - https://bugzilla.redhat.com/show_bug.cgi?id=1914406, to document this change. 
This will also be addressed in the upstream docs as well.

Comment 5 Fan Jia 2021-01-11 11:45:58 UTC

Test padd after deleting the RunAsUser:65532 from the default generate files:"./config/manager/manager.yaml" and "Dockerfile".

Comment 6 Rashmi Gottipati 2021-01-14 01:19:55 UTC

Thanks for confirming Jia Fan.

Comment 9 errata-xmlrpc 2021-02-24 15:49:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633

Note You need to log in before you can comment on or make changes to this bug.