k8ssandra-operator icon indicating copy to clipboard operation
k8ssandra-operator copied to clipboard
verified publisher icon k8ssandra

Reaper-operator failing to register reaper service on openshift 4.7

Open makeittotop opened this issue 4 years ago • 2 comments

I’m facing a problem successfully registering reaper-service by the reaper-operator on openshift k8ssandra helm deployment. Rest of the components are working well.

This looks like an RBAC issue. However I’m not sure the specifics of the apiGroup that needs changing.

Can anyone help?

Details are as follows -

k8ssandra chart version k8ssandra-1.3.3

openshift/k8s version

oc version 
Client Version: 4.7.0-0.okd-2021-02-25-144700
Server Version: 4.7.34
Kubernetes Version: v1.20.0+bbbc079

helm version version.BuildInfo{Version:"v3.5.2", GitCommit:"167aac70832d3a384f65f9745335e9fb40169dc2", GitTreeState:"dirty", GoVersion:"go1.15.7

k8ssandra-reaper-operator logs

oc logs k8ssandra-sb01-reaper-operator-58b989c67c-f9bhv {“namespace”: “k8ssandra-test”, “name”: “k8ssandra-sb01-reaper-reaper-service”}} 2021-10-29T00:32:09.463Z INFO controllers.Reaper creating service {“reaper”: “k8ssandra-test/k8ssandra-sb01-reaper”, “service”: {“namespace”: “k8ssandra-test”, “name”: “k8ssandra-sb01-reaper-reaper-service”}}

2021-10-29T00:32:09.496Z ERROR controllers.Reaper failed to create service {“reaper”: “k8ssandra-test/k8ssandra-sb01-reaper”, “service”: {“namespace”: “k8ssandra-test”, “name”: “k8ssandra-sb01-reaper-reaper-service”}, “error”: "services “k8ssandra-sb01-reaper-reaper-service” is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can’t set finalizers on: , "}

┆Issue is synchronized with this Jira Story by Unito ┆Issue Number: K8OP-169

makeittotop avatar Oct 29 '21 19:10 makeittotop

Hi @makeittotop

I came across https://bugzilla.redhat.com/show_bug.cgi?id=1835066. On the surface it doesn't see to be related.

@jdonenine can we get this into the backlog and prioritized?

jsanda avatar Nov 02 '21 03:11 jsanda

rules:

  • apiGroups:
    • reaper.cassandra-reaper.io
  • resources:
  • reapers
  • reapers/finalizer Hi @jsanda ,

I've fixed it on my end by providing reaper.cassandra-reaper.io apiGroup a blanket access to reapers/finalizer resource.

rules:
- apiGroups:
  - reaper.cassandra-reaper.io
  resources:
  - reapers
  - reapers/finalizer

makeittotop avatar Nov 02 '21 15:11 makeittotop