Openshift: User “system:serviceaccount:<project>:jenkins” can't create PV : RBAC: clusterrole.rbac.authorization.k8s.io “create” not found

Question

Openshift/okd version: 3.11

I'm using jenkins-ephemeral app from the openshift catalog and using a buildconfig to create a pipeline. Reference: https://docs.okd.io/3.11/dev_guide/dev_tutorials/openshift_pipeline.html

When i start the pipeline, in one the stage of jenkins it needs to create a persistent volume, at that point im getting the following error:

Error from server (Forbidden): persistentvolumes is forbidden: User "system:serviceaccount:pipelineproject:jenkins" cannot create persistentvolumes at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "create" not found

I have tried giving the cluster-create role to service account jenkins with following command, still im getting the same error.

oc adm policy add-cluster-role-to-user create system:serviceaccount:pipelineproject:jenkins

Will Gordon Will Gordon · Accepted Answer · 2020-05-18T14:52:26

Creating a PersistentVolume is typically something that you should not be manually doing. You should ideally be relying on PersistentVolumeClaims. PersistentVolumeClaims are namespaced resources, that your service account should be able to create with the edit Role.

$ oc project pipelineproject
$ oc policy add-role-to-user edit -z jenkins

However, if it's required that you interact with PersistentVolume objects directly, there is a storage-admin ClusterRole that should be able to give your ServiceAccount the necessary permissions.

$ oc project pipelineproject
$ oc adm policy add-cluster-role-to-user storage-admin -z jenkins

Openshift: User “system:serviceaccount:<project>:jenkins” can't create PV : RBAC: clusterrole.rbac.authorization.k8s.io “create” not found

1 Answers