cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers

[zetaab]

Expected behaviour

I want to install new redis HA setup in openshift

Actual behaviour

I can create redis-operator just fine. However, when I create new redisfailover with https://github.com/spotahome/redis-operator/blob/master/example/redisfailover/persistant-storage.yaml

the result is following (can be seen in redis operator logs)

time="2018-10-08T08:45:48Z" level=warning msg="error processing redis-operator/redisforcj job (requeued): services \"rfs-redisforcj\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: User \"system:serviceaccount:redis-operator:redisoperator\" cannot update redisfailovers/finalizers.storage.spotahome.com in project \"redis-operator\", <nil>" controller=redisfailover operator=redisfailover src="generic.go:223"
time="2018-10-08T08:45:48Z" level=warning msg="error processing redis-operator/redisforcj job (requeued): services \"rfs-redisforcj\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: User \"system:serviceaccount:redis-operator:redisoperator\" cannot update redisfailovers/finalizers.storage.spotahome.com in project \"redis-operator\", <nil>" controller=redisfailover operator=redisfailover src="generic.go:223"
time="2018-10-08T08:45:48Z" level=warning msg="error processing redis-operator/redisforcj job (requeued): services \"rfs-redisforcj\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: User \"system:serviceaccount:redis-operator:redisoperator\" cannot update redisfailovers/finalizers.storage.spotahome.com in project \"redis-operator\", <nil>" controller=redisfailover operator=redisfailover src="generic.go:223"
time="2018-10-08T08:45:48Z" level=error msg="Error processing redis-operator/redisforcj: services \"rfs-redisforcj\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: User \"system:serviceaccount:redis-operator:redisoperator\" cannot update redisfailovers/finalizers.storage.spotahome.com in project \"redis-operator\", <nil>" controller=redisfailover operator=redisfailover src="generic.go:223"

Steps to reproduce the behaviour

try installing redisfailover in openshift 3.9

Environment

How are the pieces configured?

• Redis Operator version: latest
• Kubernetes version: openshift 3.9 (kubernetes 1.9)
• Kubernetes configuration used (eg: Is RBAC active?) rbac active

Logs

Please, add the debugging logs. In order to be able to gather them, add -debug flag when running the operator.

[jchanam]

Hi @zetaab,

I've never seen such those errors on any of our logs. Have you set any finalizer specifically? I think that you may fix this allowing (in the RBAC) the service account to access to the finalizers api.

I don't know if you have a special configuration or if OpenShift has it by default. Unfortunately, we cannot support OpenShift. Maybe some other user has faced this error before and knows how to fix it.

[b4456609]

Add redisfailovers/finalizers in storage.spotahome.com api group. It seems work. The following yaml is full clusterrole yaml.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: redisoperator
rules:
- apiGroups:
    - storage.spotahome.com
  resources:
    - redisfailovers
    - redisfailovers/finalizers
  verbs:
    - "*"
- apiGroups:
    - apiextensions.k8s.io
  resources:
    - customresourcedefinitions
  verbs:
    - "*"
- apiGroups:
    - ""
  resources:
    - pods
    - services
    - endpoints
    - events
    - configmaps
  verbs:
    - "*"
- apiGroups:
    - apps
  resources:
    - deployments
    - statefulsets
  verbs:
    - "*"
- apiGroups:
    - policy
  resources:
    - poddisruptionbudgets
  verbs:
    - "*"