Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1914406

Summary: Document workaround for Go operator's controller pods is forbidden error
Product: OpenShift Container Platform Reporter: Rashmi Gottipati <rgottipa>
Component: DocumentationAssignee: Alex Dellapenta <adellape>
Status: CLOSED CURRENTRELEASE QA Contact: Xiaoli Tian <xtian>
Severity: high Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 4.7CC: adellape, aos-bugs, chuo, jesusr, jfan, jiazha, jokerman
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1912640 Environment:
Last Closed: 2021-03-01 19:58:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rashmi Gottipati 2021-01-08 18:23:30 UTC 
+++ This bug was initially created as a clone of Bug #1912640 +++

The rbac problem , should be added to the release doc. Will open a new bug if it is missed in the release doc. https://sdk.operatorframework.io/docs/faqs/#i-keep-hitting-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on-how-do-i-fix-this

--- Additional comment from Fan Jia on 2021-01-06 09:59:14 UTC ---

Add rbac can't fix this problem by doc: https://sdk.operatorframework.io/docs/faqs/#i-keep-hitting-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on-how-do-i-fix-this
This proble is caused by the "scc RunAsUser policy :MustRunAsRange", so the default RunAsUser:65532 can't meet the request. Should delete the RunAsUser:65532 from the default generate files:"./config/manager/manager.yaml" and "Dockerfile".

--- Additional comment from Jesus M. Rodriguez on 2021-01-07 15:47:48 UTC ---

This bugzilla looks identical to this github issue https://github.com/operator-framework/operator-sdk/issues/4364
Comment 1 Jesus M. Rodriguez 2021-01-08 18:48:05 UTC 
When creating Go operators using operator-sdk to run on OpenShift, the developer must replace `runAsUser: 65532` with `runAsNonRoot: true` in the `config/manager/manager.yaml` file. Because the OpenShift cluster will autoassign a random UID but it will attempt to respect the UID which was specified. 

Long term this sort of problem can be fixed by having a downstream openshift plugin that can handle these sorts of scaffolding issues.

So in the documentation where we explain how to create a sample Go operator, we should add the above step to those instructions.
Comment 2 Alex Dellapenta 2021-02-08 05:04:52 UTC 
This has been addressed via https://github.com/openshift/openshift-docs/pull/28372 (QE already reviewed) and will be available in 4.7 docs when released.
Comment 3 Alex Dellapenta 2021-03-01 19:58:13 UTC 
https://docs.openshift.com/container-platform/4.7/operators/operator_sdk/golang/osdk-golang-quickstart.html#osdk-quickstart_osdk-golang-quickstart

https://docs.openshift.com/container-platform/4.7/operators/operator_sdk/golang/osdk-golang-tutorial.html#osdk-create-project_osdk-golang-tutorial