fix: missing permissions when OwnerReferencesPermissionEnforcement admission controller is enabled#434
fix: missing permissions when OwnerReferencesPermissionEnforcement admission controller is enabled#434NoOverflow wants to merge 2 commits intocloudnative-pg:mainfrom
Conversation
|
The |
Yeah I was pretty sure I was missing something and that those files weren't static. Thanks |
|
@mnencia can we merge? |
|
I think we can. |
|
Hi all, any update ? |
dosubot
bot
added
the
size:XS
… is enabled Signed-off-by: NoOverflow <julien.prost31@ynov.com>
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
|
I see that #465 has been merged and does the same things. I apologize for not having merged this before going on holiday. |
No problem, thanks anyways |
3 participants
Barman plugin creates a role giving the rights for a managed CNPG cluster to interact with Barman-related resources (Objectstore, related secrets...).
plugin-barman-cloud/internal/cnpgi/operator/reconciler.go
Lines 121 to 125 in a225902
In order for the role to be cleaned up automatically when the related cluster is deleted, an ownerReference is set on the role pointing to that cluster.
plugin-barman-cloud/internal/cnpgi/operator/reconciler.go
Lines 144 to 146 in a225902
This causes an issue on all clusters with the OwnerReferencesPermissionEnforcement admission controller configured, and so by consequence all Openshift / OKD clusters which by default have it enabled.
This is due to the fact that this AdmCon. requires the ServiceAccount creating an object with an ownerReference to also have the rights to update the
finalizerssubresource of the referenced owner.In our case, this means that the ServiceAccount used to create the role, must have the rights to update the finalizers field of a CNPG cluster object.
Fixes #425