csi-driver icon indicating copy to clipboard operation
csi-driver copied to clipboard
verified publisher icon cert-manager

MountVolume.SetUp failed: cannot set blockOwnerDeletion: cannot find RESTMapping for APIVersion core/v1 Kind Pod

Open cdjohnson opened this issue 5 years ago • 0 comments

I'm attempting to run cert-manager-csi with cert-manager v0.14.3 on OpenShift 4.4.1.

When attempting to deploy the cert-manager-csi/deploy/example/example-app.yaml, I get the following error message in the Pod status

Warning FailedMount 3s (x7 over 36s) kubelet, worker1.cdj-ocp441a.cp.fyre.ibm.com MountVolume.SetUp failed for volume "tls" : kubernetes.io/csi: mounter.SetupAt failed: rpc error: code = Unknown desc = failed to create new certificate: certificaterequests.cert-manager.io "csi-8b7360bf145d2c9b73d6aa33d309c2c4bfdb15e32a6211d06437b83c4dca4e5a" is forbidden: cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion core/v1 Kind Pod: no matches for kind "Pod" in version "core/v1"

To recreate on OpenShift 4.1.1:

  1. Create the following resources to allow the pod to mount a csi volume:
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: restricted + csi
  name: cert-manager-csi-client-scc
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
groups: []
volumes:
- configMap
- downwardAPI
- csi
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
---
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-csi-client-scc
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - cert-manager-csi-client
  resources:
  - securitycontextconstraints
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cert-manager-csi-rolebinding
  namespace: sandbox
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-csi-client-scc
subjects:
- kind: Group
  name: system:serviceaccounts:sandbox
  1. Apply the sample files: kubectl apply -f deploy/example/example-app.yaml

Result: The Pod fails to start with the fore-mentioned error.

cdjohnson avatar May 02 '20 15:05 cdjohnson