agones: Agones roles have insufficient permissions defined for clusters where OwnerReferencesPermissionEnforcement is enabled

What happened: When trying to deploy a GameServer, I received an error.

What you expected to happen: A GameServer should deploy.

How to reproduce it (as minimally and precisely as possible):

create a k8s cluster
enable OwnerReferencesPermissionEnforcement plugin
install agones
create a gameserver

Environment:

Agones version: 1.7
Kubernetes version (use kubectl version): 1.6 but likely any recent version
Cloud provider or hardware configuration: N/A
Install method (yaml/helm): helm
Troubleshooting guide log(s): pods "simple-udp-jcc4d" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>

In the agones-controller role, explicitly adding the finalizers permissions (eg: gameservers/finalizers) at least is a workaround. I am not sure if that is the correct fix.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 15 (12 by maintainers)

Commits related to this issue

Allow controller service account to update finalizers In clusters where the OwnerReferencesPermissionEnforcement admission controller is enabled, the agones-controller service account needs to have a... — committed to bostrt/agones by bostrt 2 years ago

Most upvoted comments

I’ll need to play with this and try to do it with Minikube and report back with a clear reproducer.

If I get enough cycles I may be able to PR the owner references themselves.

thoraxe on Oct 22, 2020