argo-workflows
argo-workflows copied to clipboard
Frequent errors on OwnerReferencesPermissionEnforcement and TLS
We are using Argo Workflow version-3.3.2 (helmChart -0.15.1) in OpenShift Cluster, we are getting below errors frequently
Error Message : step group deemed errored due to child sample-test.onExit[0].exit-time error: Internal error occurred: admission plugin "OwnerReferencesPermissionEnforcement" failed to complete validation in 13s
Error (exit code 1): Get net/http: TLS handshake timeout
Any idea , how to fix this?
Thanks!
please reach out argo-helm
Thanks @sarabala1979 , raised in #1433
@sarabala1979 argo-helm packages the same repo(argo-workflows) , correct? or is there any difference?
I don't think this is either Helm or Argo issue:
OwnerReferencesPermissionEnforcement
This admission controller protects the access to the metadata.ownerReferences of an object so that only users with "delete" permission to the object can change it. This admission controller also protects the access to metadata.ownerReferences[x].blockOwnerDeletion of an object, so that only users with "update" permission to the finalizers subresource of the referenced owner can change it.
https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
Presumably the service account the controller runs with (typcially argo
) does not have the delete
permission.
Can you check your RBAC set-up?
@alexec Thanks for suggesting , we went to this long back and changed role for the argo controller, but still facing same issue...
please let me know, if any verb is missing...
Here is the verbs for argo controller role for this:
rules:
- verbs:
- create
- get
- list
- watch
- update
- patch
- delete
apiGroups:
- ''
resources:
- pods
- pods/exec
- verbs:
- get
- watch
- list
apiGroups:
- ''
resources:
- configmaps
- verbs:
- create
- update
- delete
- get
apiGroups:
- ''
resources:
- persistentvolumeclaims
- persistentvolumeclaims/finalizers
- verbs:
- get
- list
- watch
- update
- patch
- delete
- create
apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workflowtasksets
- workflowtasksets/finalizers
- verbs:
- get
- list
- watch
- update
- patch
- delete
apiGroups:
- argoproj.io
resources:
- workflowtemplates
- workflowtemplates/finalizers
- verbs:
- list
- watch
- deletecollection
- delete
apiGroups:
- argoproj.io
resources:
- workflowtaskresults
- workflowtaskresults/finalizers
- verbs:
- get
- list
- watch
- update
- patch
- delete
apiGroups:
- argoproj.io
resources:
- cronworkflows
- cronworkflows/finalizers
- verbs:
- create
- patch
apiGroups:
- ''
resources:
- events
- verbs:
- get
- list
apiGroups:
- ''
resources:
- serviceaccounts
- verbs:
- create
- get
- delete
apiGroups:
- policy
resources:
- poddisruptionbudgets
- verbs:
- create
apiGroups:
- coordination.k8s.io
resources:
- leases
- verbs:
- get
- watch
- update
- patch
- delete
apiGroups:
- coordination.k8s.io
resources:
- leases
resourceNames:
- workflow-controller
- workflow-controller-lease
Hi @alexec , still we are getting same intermittent issues frequently after the updating with all required permissions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this is a mentoring request, please provide an update here. Thank you for your contributions.
This issue has been closed due to inactivity. Feel free to re-open if you still encounter this issue.