search

openfaas / faas-netes

Serverless Functions For Kubernetes
https://www.openfaas.com
MIT License
2.13k stars 472 forks source link

forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on #807

Closed thinkahead closed 3 years ago

thinkahead commented 3 years ago

Get the following error when deploying a function on OpenShift in the gateway operator log when installed with --set operator.create=true.

I0617 14:46:13.705793 1 controller.go:254] Creating deployment for 'hello' I0617 14:46:13.705865 1 deployment.go:152] Function hello: no profiles specified I0617 14:46:13.705875 1 deployment.go:162] Function hello: Applying profiles [] E0617 14:46:13.738073 1 controller.go:206] error syncing 'openfaas-fn/hello': deployments.apps "hello" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , W0617 14:46:15.723742 1 list.go:51] Function listing getReplicas error: deployment.apps "hello" not found

Expected Behaviour

The hello function should get executed in the openfaas-fn namespace

Current Behaviour

This cause the:

W0617 13:06:14.666512 1 list.go:51] Function listing getReplicas error: deployment.apps "hello" not found

BTW, it works fine if I install the helm chart without the operator. i.e. --set operator.create=false

Are you a GitHub Sponsor (Yes/No?)

Currently testing on ppc64le

Check at: https://github.com/sponsors/openfaas

List All Possible Solutions and Workarounds

https://sdk.operatorframework.io/docs/faqs/#after-deploying-my-operator-why-do-i-see-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on-

It probably requires adding the rule with some specific resource/finalizer to openfaas-operator-rw role in openfaas-fn namespace or openfaas-operator-controller clusterrole. It works with the rule below added:

  - apiGroups:
    - openfaas.com
    resources:
    - '*'
    verbs:
    - update

Also separately, the component: openaas-operator should be changed to component: openfaas-operator in the template https://github.com/openfaas/faas-netes/blob/master/chart/openfaas/templates/operator-rbac.yaml#L113

Which Solution Do You Recommend?

Steps to Reproduce (for bugs)

  1. Try to deploy any function on OpenShift when openfaas is installed with operator

Context

Your Environment

alexellis commented 3 years ago

@thinkahead nobody appears to have this issue with the operator. My sense is that you have not shared some important context or information that we require.

If you're deploying a PPC64le function, then your build cannot be official which means you are likely outside the realms of what we can support via the GitHub issue tracker, and free goodwill.

If you can reproduce this issue with the official container builds of openfaas then please do update your issue.

I'll close this, but if we hear from you, we could consider re-opening. You can get enterprise support and consulting time from us at https://openfaas.com/support/

vkryzh commented 1 year ago

@alexellis This is still the issue. Solved by adding 

  - apiGroups:
    - openfaas.com
    resources:
    - '*'
    verbs:
    - update

To the operator role, but this is just a temporary solution. We have to figure out the full set of required permissions as not everywhere we have ClusterAdmin permission :)

alexellis commented 1 year ago

Would you like to send a PR please @vkryzh ?

alexellis commented 4 months ago

Role and ClusterRole: https://github.com/openfaas/faas-netes/blob/master/chart/openfaas/templates/operator-rbac.yaml

- apiGroups: ["openfaas.com"]
  resources: ["functions", "functions/status"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

As per community call, it seems like functions/finalizers may also be required in the list.

resources: ["functions", "functions/status", "functions/finalizers"]