Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.13.z, 4.14.z, 4.15.z
-
Important
-
False
-
Description
Description of problem:
With `oc` version 4.15 on OCP 4.15, the following command fails:
$ ~/openshift-client-linux-4.15.6/oc version Client Version: 4.15.6 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Kubernetes Version: v1.28.7+f1b5f6c $ ~/openshift-client-linux-4.15.6/oc create job manual-skrenger-from-oc-415 --from=cronjob/pi error: failed to create job: jobs.batch "manual-skrenger-from-oc-415" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>
With older versions of `oc`, this command executes as expected:
$ ~/openshift-client-linux-4.14.19/oc version Client Version: 4.14.19 Kustomize Version: v5.0.1 Kubernetes Version: v1.28.7+f1b5f6c $ ~/openshift-client-linux-4.14.19/oc create job manual-skrenger-with-oc-414 --from=cronjob/pi job.batch/manual-skrenger-with-oc-414 created
Version-Release number of selected component (if applicable):
$ ~/openshift-client-linux-4.15.6/oc version Client Version: 4.15.6 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Kubernetes Version: v1.28.7+f1b5f6c
How reproducible:
Always
Steps to Reproduce:
1. Set up a cluster using OCP 4.15 and set up IDP
2. Ensure a 4.15 version of `oc` client is used by executing "oc version"
3. Log in with a regular user, NOT cluster-admin (this is important)
4. Create a new project using "oc new-project example"
6. Create a Cronjob using the instructions in the documentation: https://docs.openshift.com/container-platform/4.15/nodes/jobs/nodes-nodes-jobs.html#nodes-nodes-jobs-creating-cron_nodes-nodes-jobs
7. Execute the following command to manually create a job from this cronjob: "oc create job manual-example --from=cronjob/pi"
Actual results:
Creating the job fails with:
$ ~/openshift-client-linux-4.15.6/oc create job manual-skrenger-from-oc-415 --from=cronjob/pi error: failed to create job: jobs.batch "manual-skrenger-from-oc-415" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>
This is likely due to the missing permission on "cronjobs/finalizers". We would expect the "admin" role to have these permissions (see comments below).
Expected results:
Job is created as expected
Additional info:
- `oc` Version 4.14 and OCP 4.14 did not yet show this behaviour, it seems only the new client will try to set these fields. OCP 4.14 and OCP 4.13 are also missing the necessary permissions in the "admin" role.
