feat: stop requiring namespace object permissions (cloudnative-pg#4753)

Remove the namespace deletion check at the start of the reconciliation cycle and the permissions to read namespace definitions. Closes cloudnative-pg#4752 Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com> Signed-off-by: Douglass Kirkley <dkirkley@eitccorp.com>
dougkirkley · Jun 11, 2024 · 21e9927 · 21e9927
1 parent 2182b44
commit 21e9927
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 29 deletions.
diff --git a/config/olm-rbac/role_global.yaml b/config/olm-rbac/role_global.yaml
@@ -4,14 +4,6 @@ kind: ClusterRole
 metadata:
   name: manager
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -31,14 +31,6 @@ rules:
   verbs:
   - create
   - patch
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:

diff --git a/internal/controller/cluster_controller.go b/internal/controller/cluster_controller.go
@@ -107,7 +107,6 @@ var ErrNextLoop = utils.ErrNextLoop
 // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;watch;delete;patch
 // +kubebuilder:rbac:groups="",resources=configmaps/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
-// +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list;create;watch;delete;patch
 // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;delete;patch;create;watch
@@ -476,18 +475,6 @@ func (r *ClusterReconciler) getCluster(
 		return nil, fmt.Errorf("cannot get the managed resource: %w", err)
 	}
 
-	var namespace corev1.Namespace
-	if err := r.Get(ctx, client.ObjectKey{Namespace: "", Name: req.Namespace}, &namespace); err != nil {
-		// This is a real error, maybe the RBAC configuration is wrong?
-		return nil, fmt.Errorf("cannot get the containing namespace: %w", err)
-	}
-
-	if !namespace.DeletionTimestamp.IsZero() {
-		// This happens when you delete a namespace containing a Cluster resource. If that's the case,
-		// let's just wait for the Kubernetes to remove all object in the namespace.
-		return nil, nil
-	}
-
 	return cluster, nil
 }