Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-37200

"oc create job" fails with "cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • 4.13.z, 4.14.z, 4.15.z
    • oc

      Description of problem:

      With `oc` version 4.15 on OCP 4.15, the following command fails:

      $ ~/openshift-client-linux-4.15.6/oc version
Client Version: 4.15.6
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Kubernetes Version: v1.28.7+f1b5f6c

$ ~/openshift-client-linux-4.15.6/oc create job manual-skrenger-from-oc-415 --from=cronjob/pi
error: failed to create job: jobs.batch "manual-skrenger-from-oc-415" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>

      With older versions of `oc`, this command executes as expected:

      $ ~/openshift-client-linux-4.14.19/oc version
Client Version: 4.14.19
Kustomize Version: v5.0.1
Kubernetes Version: v1.28.7+f1b5f6c
$ ~/openshift-client-linux-4.14.19/oc create job manual-skrenger-with-oc-414 --from=cronjob/pi
job.batch/manual-skrenger-with-oc-414 created

      Version-Release number of selected component (if applicable):

      $ ~/openshift-client-linux-4.15.6/oc version
Client Version: 4.15.6
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Kubernetes Version: v1.28.7+f1b5f6c

      How reproducible:

      Always

      Steps to Reproduce:

      1. Set up a cluster using OCP 4.15 and set up IDP
      2. Ensure a 4.15 version of `oc` client is used by executing "oc version"
      3. Log in with a regular user, NOT cluster-admin (this is important)
      4. Create a new project using "oc new-project example"
      6. Create a Cronjob using the instructions in the documentation: https://docs.openshift.com/container-platform/4.15/nodes/jobs/nodes-nodes-jobs.html#nodes-nodes-jobs-creating-cron_nodes-nodes-jobs
      7. Execute the following command to manually create a job from this cronjob: "oc create job manual-example --from=cronjob/pi"

      Actual results:

      Creating the job fails with:

      $ ~/openshift-client-linux-4.15.6/oc create job manual-skrenger-from-oc-415 --from=cronjob/pi
error: failed to create job: jobs.batch "manual-skrenger-from-oc-415" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>

      This is likely due to the missing permission on "cronjobs/finalizers". We would expect the "admin" role to have these permissions (see comments below).

      Expected results:

      Job is created as expected

      Additional info:

      • `oc` Version 4.14 and OCP 4.14 did not yet show this behaviour, it seems only the new client will try to set these fields. OCP 4.14 and OCP 4.13 are also missing the necessary permissions in the "admin" role.

              aguclu@redhat.com Arda Guclu
              rhn-support-skrenger Simon Krenger
              ying zhou ying zhou
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: