Skip to content

Commit

Permalink
Add RBAC access to finalizers for the operator role
Browse files Browse the repository at this point in the history 
On Openshift, the operator failed with error

"\"submariner-gateway\" is forbidden: cannot set blockOwnerDeletion
if an ownerReference refers to a resource you can't set finalizers on"

Openshift enables OwnerReferencesPermissionEnforcement, so
in order to set blockOwnerDeletion for an object, the user needs
update permission for the finalizers subresource of the referenced
owner. In this case the owner is the Submariner object.

Signed-off-by: Tom Pantelis <[email protected]>
  • Loading branch information
@tpantelis @skitt
tpantelis authored and skitt committed May 21, 2024
1 parent 58bf5a2 commit 9d8c4f5
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions submariner-operator/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,13 @@ rules:
- get
- list
- watch
- apiGroups:
- submariner.io
resources:
- submariners/finalizers
- servicediscoveries/finalizers
verbs:
- update
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
Expand Down

0 comments on commit 9d8c4f5

Please sign in to comment.