1914406 – Document workaround for Go operator's controller pods is forbidden error

Bug 1914406 - Document workaround for Go operator's controller pods is forbidden error

Summary: Document workaround for Go operator's controller pods is forbidden error

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.7.0
Assignee:	Alex Dellapenta
QA Contact:	Xiaoli Tian
Docs Contact:	Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-08 18:23 UTC by Rashmi Gottipati
Modified:	2021-03-01 19:58 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1912640
Environment:
Last Closed:	2021-03-01 19:58:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Rashmi Gottipati 2021-01-08 18:23:30 UTC

+++ This bug was initially created as a clone of Bug #1912640 +++

The rbac problem , should be added to the release doc. Will open a new bug if it is missed in the release doc. https://sdk.operatorframework.io/docs/faqs/#i-keep-hitting-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on-how-do-i-fix-this

--- Additional comment from Fan Jia on 2021-01-06 09:59:14 UTC ---

Add rbac can't fix this problem by doc: https://sdk.operatorframework.io/docs/faqs/#i-keep-hitting-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on-how-do-i-fix-this
This proble is caused by the "scc RunAsUser policy :MustRunAsRange", so the default RunAsUser:65532 can't meet the request. Should delete the RunAsUser:65532 from the default generate files:"./config/manager/manager.yaml" and "Dockerfile".

--- Additional comment from Jesus M. Rodriguez on 2021-01-07 15:47:48 UTC ---

This bugzilla looks identical to this github issue https://github.com/operator-framework/operator-sdk/issues/4364

Comment 1 Jesus M. Rodriguez 2021-01-08 18:48:05 UTC

When creating Go operators using operator-sdk to run on OpenShift, the developer must replace `runAsUser: 65532` with `runAsNonRoot: true` in the `config/manager/manager.yaml` file. Because the OpenShift cluster will autoassign a random UID but it will attempt to respect the UID which was specified. 

Long term this sort of problem can be fixed by having a downstream openshift plugin that can handle these sorts of scaffolding issues.

So in the documentation where we explain how to create a sample Go operator, we should add the above step to those instructions.

Comment 2 Alex Dellapenta 2021-02-08 05:04:52 UTC

This has been addressed via https://github.com/openshift/openshift-docs/pull/28372 (QE already reviewed) and will be available in 4.7 docs when released.

Comment 3 Alex Dellapenta 2021-03-01 19:58:13 UTC

https://docs.openshift.com/container-platform/4.7/operators/operator_sdk/golang/osdk-golang-quickstart.html#osdk-quickstart_osdk-golang-quickstart

https://docs.openshift.com/container-platform/4.7/operators/operator_sdk/golang/osdk-golang-tutorial.html#osdk-create-project_osdk-golang-tutorial

Note You need to log in before you can comment on or make changes to this bug.