Closed
Description
Description
Observed Behavior:
On Kubernetes clusters with OwnerReferencesPermissionEnforcement admission plugin enabled (e.g., OpenShift), karpenter-provider-kwok is unable to provision KWOK nodes because the karpenter service account does not have permissions to set ownerReference when creating NodeClaim objects and updating Node objects, with that plugin enabled:
{"level":"ERROR","time":"2025-06-19T18:24:47.038Z","logger":"controller","caller":"controller/controller.go:353","message":"Reconciler error","commit":"d0f1c47-dirty","controller":"provisioner","namespace":"","name":"","reconcileID":"8fb29109-bbf2-4d41-a900-b1e87993474e","error":"creating node claim, nodeclaims.karpenter.sh \"default-cxwp2\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>"} Expected Behavior:
Change karpenter/kwok/charts/templates/clusterrole.yaml
- apiGroups: ["karpenter.sh"]
resources: ["nodeclaims", "nodeclaims/status", "nodeclaims/finalizers"]
verbs: ["create", "delete", "update", "patch"]
- apiGroups: ["karpenter.sh"]
resources: ["nodepools", "nodepools/status", "nodepools/finalizers"]
verbs: ["update", "patch"]and the provider can provision the kwok nodes.
Reproduction Steps (Please include YAML):
- install openshift cluster
- Follow steps to enable ko on openshift.
KWOK_REPO=$(oc registry info --public)/ko-images make apply- (have to pass
--insecure-registrytoko buildas well)
- (have to pass
make install-kwok
kubectl apply -f -<<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-app
spec:
replicas: 1
selector:
matchLabels:
app: web-app
template:
metadata:
labels:
app: web-app
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containers:
- image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
name: web-app
resources:
requests:
cpu: "0.5"
memory: 1Gi
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
node.kubernetes.io/instance-type: "s-64x-amd64-linux"
tolerations:
- effect: NoSchedule
key: karpenter.sh/special-taint
---
apiVersion: karpenter.sh/v1
kind: NodePool
metadata:
name: default
spec:
template:
spec:
requirements:
- key: kubernetes.io/arch
operator: In
values: ["amd64"]
- key: kubernetes.io/os
operator: In
values: ["linux"]
- key: karpenter.sh/capacity-type
operator: In
values: ["spot"]
nodeClassRef:
name: default
kind: KWOKNodeClass
group: karpenter.kwok.sh
expireAfter: 720h # 30 * 24h = 720h
taints:
- effect: NoSchedule
key: karpenter.sh/special-taint
limits:
cpu: 1000
disruption:
consolidationPolicy: WhenEmptyOrUnderutilized
consolidateAfter: 10s
---
apiVersion: karpenter.kwok.sh/v1alpha1
kind: KWOKNodeClass
metadata:
name: default
EOFVersions:
- Chart Version: 0.35.0
- Kubernetes Version (
kubectl version):
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment