Skip to content

Commit

Permalink
Add RBAC access to finalizers for the operator role
Browse files Browse the repository at this point in the history 
On Openshift, the operator failed with error

"\"submariner-gateway\" is forbidden: cannot set blockOwnerDeletion
if an ownerReference refers to a resource you can't set finalizers on"

Openshift enables OwnerReferencesPermissionEnforcement, so
in order to set blockOwnerDeletion for an object, the user needs
update permission for the finalizers subresource of the referenced
owner. In this case the owner is the Submariner object.

Signed-off-by: Tom Pantelis <[email protected]>
  • Loading branch information
@tpantelis @skitt
tpantelis authored and skitt committed May 21, 2024
1 parent 3c85245 commit 56aaecb
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions submariner-operator/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,13 @@ rules:
- get
- list
- watch
- apiGroups:
- submariner.io
resources:
- submariners/finalizers
- servicediscoveries/finalizers
verbs:
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
Expand Down

0 comments on commit 56aaecb

Please sign in to comment.