Let's say something like this is being returned when attempting to delete a resource, such as a service account. This happened to me when attempting to delete a service account from one of the default namespaces such as the "default" namespace on Red Hat OpenShift on Amazon Web Services (ROSA), even as cluster-admin.
~]# oc whoami
cluster-admin
~]# oc delete my-service-account --namespace default
Error from server (Deleting protected service account under namespace default is not allowed): admission webhook "serviceaccount-validation.managed.openshift.io" denied the request: Deleting protected service account under namespace default is not allowed
This is not limited to only the "default" namespace. I also had this issue when a service account was mistakenly created in the kube-system namespace, even as cluster-admin.
~]# oc whoami
cluster-admin
~]# oc delete my-service-account --namespace kube-system
Error from server (Deleting protected service account under namespace kube-system is not allowed): admission webhook "serviceaccount-validation.managed.openshift.io" denied the request: Deleting protected service account under namespace kube-system is not allowed
This has something to do with the sre-serviceaccount-validation webhook resource.
]$ oc get ValidatingWebhookConfiguration
NAME WEBHOOKS AGE
sre-serviceaccount-validation 1 15d
I opened a case with Red Hat support and they confirmed that certain resources (such as service accounts) in certain namespace (such as default and kube-system) cannot be deleted on ROSA, even as cluster-admin. A case must be opened with Red Hat to have the resource deleted.
Did you find this article helpful?
If so, consider buying me a coffee over at