Created attachment 1754608 [details] error_vm_snapshot_non_cluster_admin Description of problem: Non cluster admin user can not take VM snapshot, an error occurred. virtualmachinesnapshots.snapshot.kubevirt.io "testsnapshot" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil> Version-Release number of selected component (if applicable): ocp 4.7 How reproducible: 100% Note: cluster admin user does not have this issue. Steps to Reproduce: 1. non cluster admin user login: e.g tester 2. create the VM in project(e.g testing-day) the non-cluster-admin user has Admin role in this project. 3. VM is running in this project. 4. stop the VM 5. Click the "Take Snapshot" button. Actual results: an error occurred. virtualmachinesnapshots.snapshot.kubevirt.io "testsnapshot" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil> Expected results: user can take snapshot in the project which the user has Admin role in this project. Additional info: 1. Note: cluster admin user does not have this issue. 2. $ oc describe rolebinding.rbac -n testing-day Name: admin Labels: <none> Annotations: <none> Role: Kind: ClusterRole Name: admin Subjects: Kind Name Namespace ---- ---- --------- User tester Name: system:deployers Labels: <none> Annotations: openshift.io/description: Allows deploymentconfigs in this namespace to rollout pods in this namespace. It is auto-managed by a controller; remove subjects to disa... Role: Kind: ClusterRole Name: system:deployer Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount deployer testing-day Name: system:image-builders Labels: <none> Annotations: openshift.io/description: Allows builds in this namespace to push images to this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-builder Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount builder testing-day Name: system:image-pullers Labels: <none> Annotations: openshift.io/description: Allows all pods in this namespace to pull images from this namespace. It is auto-managed by a controller; remove subjects to disable. Role: Kind: ClusterRole Name: system:image-puller Subjects: Kind Name Namespace ---- ---- --------- Group system:serviceaccounts:testing-day
Looks like a virt bug.
*** Bug 1924922 has been marked as a duplicate of this bug. ***
verified on ocp-4.7.0-rc.0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633