Skip to content

[ENHANCE] additional cronjob permissions required for clusters using owner references admission controller (OpenShift) #1083

New issue
New issue
Open
#1084
Open
[ENHANCE] additional cronjob permissions required for clusters using owner references admission controller (OpenShift)#1083
#1084
Labels
kind/enhancementNew feature or request
@roseo1

Description

@roseo1
roseo1
opened on Jan 12, 2026

Is your feature request related to a problem? Please describe.

In OpenShift clusters, there are some default admission plugins enabled (default admission plugins), including OwnerReferencesPermissionEnforcement.

When using Reloader to trigger a Job from an existing CronJob as a template on a cluster with OwnerReferencesPermissionEnforcement admission plugin enabled, job creation is blocked by the admission controller.

time="2026-01-09T16:42:54Z" level=error msg="Update for 'test-cronjob' of type 'CronJob' in namespace 'example' failed with error jobs.batch \"test-cronjob-shkqt\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>"
time="2026-01-09T16:42:54Z" level=error msg="Rolling upgrade for 'test-secret' failed with error = jobs.batch \"test-cronjob-shkqt\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>"

Describe the solution you'd like
Extend reloader role to cover permissions required:

  - apiGroups:
      - "batch"
    resources:
      - cronjobs/finalizers
    verbs:
      - update

Describe alternatives you've considered

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions