New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: fix blockOwnerDeletion error #9441
Conversation
This restores the missing permissions to allow the object controller to update the finalizers section in the spec. See https://sdk.operatorframework.io/docs/faqs/ Signed-off-by: Daniel Ruiz Capilla <crd1985@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change look clean to me.
@@ -464,6 +464,11 @@ rules: | |||
verbs: | |||
# OBC controller updates OBC and OB statuses | |||
- update | |||
- apiGroups: ["objectbucket.io"] | |||
resources: ["objectbucketclaims/finalizers", "objectbuckets/finalizers"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about if you add these two resources to line 463 above instead of creating a new api group?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, even thought it's more lines of config, I think it reads better to have these be separate sections. That way, finalizers are independent of status if anything needs to change in the future. Generally speaking, I think this will help keep the permissions more minimal in the long-term.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same thoughts for me as @BlaineEXE, but I can change it however you decide it's better. Let me know if you still think it's better to recombine the two api groups.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's functionally the same, so I'm fine going with this for now.
@@ -464,6 +464,11 @@ rules: | |||
verbs: | |||
# OBC controller updates OBC and OB statuses | |||
- update | |||
- apiGroups: ["objectbucket.io"] | |||
resources: ["objectbucketclaims/finalizers", "objectbuckets/finalizers"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's functionally the same, so I'm fine going with this for now.
ceph: fix blockOwnerDeletion error (backport #9441)
See https://sdk.operatorframework.io/docs/faqs/ for further reference
Signed-off-by: Daniel Ruiz Capilla crd1985@gmail.com
Description of your changes:
This PR adds a missing role to allow the object controller update the finalizers section in OBC and OB. Otherwise, an error like
secrets \"my-bucket\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on:
is thrown in the operator log.This error raises when the plugin OwnerReferencesPermissionEnforcement is enabled (OKD 4.8 in bare metal in my use case).
See https://sdk.operatorframework.io/docs/faqs/#after-deploying-my-operator-why-do-i-see-errors-like-is-forbidden-cannot-set-blockownerdeletion-if-an-ownerreference-refers-to-a-resource-you-cant-set-finalizers-on- for further reference.
Which issue is resolved by this Pull Request:
Resolves #
Checklist:
make codegen
) has been run to update object specifications, if necessary.