Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MountVolume.SetUp failed: cannot set blockOwnerDeletion: cannot find RESTMapping for APIVersion core/v1 Kind Pod #21

Open
cdjohnson opened this issue May 2, 2020 · 0 comments
Open

MountVolume.SetUp failed: cannot set blockOwnerDeletion: cannot find RESTMapping for APIVersion core/v1 Kind Pod #21

cdjohnson opened this issue May 2, 2020 · 0 comments

Comments

@cdjohnson
Copy link

I'm attempting to run cert-manager-csi with cert-manager v0.14.3 on OpenShift 4.4.1.

When attempting to deploy the cert-manager-csi/deploy/example/example-app.yaml, I get the following error message in the Pod status

Warning FailedMount 3s (x7 over 36s) kubelet, worker1.cdj-ocp441a.cp.fyre.ibm.com MountVolume.SetUp failed for volume "tls" : kubernetes.io/csi: mounter.SetupAt failed: rpc error: code = Unknown desc = failed to create new certificate: certificaterequests.cert-manager.io "csi-8b7360bf145d2c9b73d6aa33d309c2c4bfdb15e32a6211d06437b83c4dca4e5a" is forbidden: cannot set blockOwnerDeletion in this case because cannot find RESTMapping for APIVersion core/v1 Kind Pod: no matches for kind "Pod" in version "core/v1"

To recreate on OpenShift 4.1.1:

  1. Create the following resources to allow the pod to mount a csi volume:
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: restricted + csi
  name: cert-manager-csi-client-scc
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
groups: []
volumes:
- configMap
- downwardAPI
- csi
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
---
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-csi-client-scc
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - cert-manager-csi-client
  resources:
  - securitycontextconstraints
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: cert-manager-csi-rolebinding
  namespace: sandbox
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-csi-client-scc
subjects:
- kind: Group
  name: system:serviceaccounts:sandbox
  1. Apply the sample files: kubectl apply -f deploy/example/example-app.yaml

Result: The Pod fails to start with the fore-mentioned error.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cdjohnson