Resolving CustomDomain Deletion in ROSA Due to Admission Webhook "regular-user-validation.managed.openshift.io" Denied

Solution Verified - Updated -

Environment

  • Red Hat OpenShift on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4

Issue

  • Unable to delete a custom domain in ROSA (Red Hat OpenShift Service on AWS) using the oc command-line tool.

Command Used:

oc delete customdomain $CUSTOM_DOMAIN

Error Received:

Error from server (Prevented from accessing Red Hat managed resources. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support): admission webhook "regular-user-validation.managed.openshift.io" denied the request: Prevented from accessing Red Hat managed resources. This is in an effort to prevent harmful actions that may cause unintended consequences or affect the stability of the cluster. If you have any questions about this, please reach out to Red Hat support at https://access.redhat.com/support

Resolution

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

  1. Check Group Memberships: First, verify which users are part of the cluster-admins and dedicated-admins groups:

    $ oc get groups cluster-admins dedicated-admins

    For example, based on the output provided:

    NAME               USERS
cluster-admins     kubeadmin
dedicated-admins

    It appears that only the user kubeadmin has the necessary privileges to delete the CustomDomain CR.

  2. Add User to the Required Groups: If you need to delete the CustomDomain CR and are not part of the cluster-admins or dedicated-admins groups, you can add your username to these groups. Once added, you should be able to perform the delete action.

  3. Retry the Deletion: After ensuring the appropriate group membership, retry the deletion command:

    oc delete customdomain $CUSTOM_DOMAIN

  4. Contact Support: If you continue to face issues or have concerns, please reach out to Red Hat support at https://access.redhat.com/support.

References

[1] GitHub Source Code

Root Cause

The error is due to the admission webhook "regular-user-validation.managed.openshift.io" which restricts certain actions to prevent unintended consequences or affect the stability of the cluster. The webhook checks for specific group memberships before allowing the deletion of the CustomDomain CR.

The function isCustomDomainAuthorized in the source code [1] checks if the user belongs to either the cluster-admins or dedicated-admins groups and if the request is for the CustomDomain CR.

Diagnostic Steps

$ oc get groups cluster-admins dedicated-admins

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments