Skip to content

Commit

Permalink
operator: allow controllers to touch ownerReferences always
Browse files Browse the repository at this point in the history
Resources in clusters with OwnerReferencesPermissionEnforcement
(e.g., OpenShift) get stricter checks for metadata.ownerReferences.

This appears via errors like:
“is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to
a resource you can’t set finalizers on: ...”

The fix is to add "update" permissions to finalizers subresource
for the xDevicePlugins resources.

Signed-off-by: Mikko Ylinen <[email protected]>
  • Loading branch information
mythi committed Nov 19, 2021
1 parent 471549c commit cb12893
Show file tree
Hide file tree
Showing 8 changed files with 43 additions and 1 deletion.
36 changes: 36 additions & 0 deletions deployments/operator/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- deviceplugin.intel.com
resources:
- dlbdeviceplugins/finalizers
verbs:
- update
- apiGroups:
- deviceplugin.intel.com
resources:
Expand All @@ -83,6 +89,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- deviceplugin.intel.com
resources:
- dsadeviceplugins/finalizers
verbs:
- update
- apiGroups:
- deviceplugin.intel.com
resources:
Expand All @@ -103,6 +115,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- deviceplugin.intel.com
resources:
- fpgadeviceplugins/finalizers
verbs:
- update
- apiGroups:
- deviceplugin.intel.com
resources:
Expand All @@ -123,6 +141,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- deviceplugin.intel.com
resources:
- gpudeviceplugins/finalizers
verbs:
- update
- apiGroups:
- deviceplugin.intel.com
resources:
Expand All @@ -143,6 +167,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- deviceplugin.intel.com
resources:
- qatdeviceplugins/finalizers
verbs:
- update
- apiGroups:
- deviceplugin.intel.com
resources:
Expand All @@ -163,6 +193,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- deviceplugin.intel.com
resources:
- sgxdeviceplugins/finalizers
verbs:
- update
- apiGroups:
- deviceplugin.intel.com
resources:
Expand Down
2 changes: 1 addition & 1 deletion deployments/operator/webhook/manifests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ webhooks:
service:
name: webhook-service
namespace: system
path: /mutate-deviceplugin-intel-com-v1-dlbdeviceplugin
path: /mutate-deviceplugin-intel-com-v1-dlbdeviceplugin
failurePolicy: Fail
name: mdlbdeviceplugin.kb.io
rules:
Expand Down
1 change: 1 addition & 0 deletions pkg/controllers/dlb/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ const (

// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=dlbdeviceplugins,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=dlbdeviceplugins/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=dlbdeviceplugins/finalizers,verbs=update

// SetupReconciler creates a new reconciler for DlbDevicePlugin objects.
func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
Expand Down
1 change: 1 addition & 0 deletions pkg/controllers/dsa/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ const (

// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=dsadeviceplugins,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=dsadeviceplugins/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=dsadeviceplugins/finalizers,verbs=update

// SetupReconciler creates a new reconciler for DsaDevicePlugin objects.
func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
Expand Down
1 change: 1 addition & 0 deletions pkg/controllers/fpga/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ const (

// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=fpgadeviceplugins,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=fpgadeviceplugins/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=fpgadeviceplugins/finalizers,verbs=update

// SetupReconciler creates a new reconciler for FpgaDevicePlugin objects.
func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
Expand Down
1 change: 1 addition & 0 deletions pkg/controllers/gpu/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ const (

// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=gpudeviceplugins,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=gpudeviceplugins/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=gpudeviceplugins/finalizers,verbs=update

// SetupReconciler creates a new reconciler for GpuDevicePlugin objects.
func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
Expand Down
1 change: 1 addition & 0 deletions pkg/controllers/qat/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ const (

// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=qatdeviceplugins,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=qatdeviceplugins/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=qatdeviceplugins/finalizers,verbs=update

// SetupReconciler creates a new reconciler for QatDevicePlugin objects.
func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
Expand Down
1 change: 1 addition & 0 deletions pkg/controllers/sgx/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ const (

// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=sgxdeviceplugins,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=sgxdeviceplugins/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=deviceplugin.intel.com,resources=sgxdeviceplugins/finalizers,verbs=update

// SetupReconciler creates a new reconciler for SgxDevicePlugin objects.
func SetupReconciler(mgr ctrl.Manager, namespace string, withWebhook bool) error {
Expand Down

0 comments on commit cb12893

Please sign in to comment.