Merge pull request #5722 from AndiDog/blockownerdeletion-fix

k8s-ci-robot · web-flow · commit 8ff7054d8b05 · 2025-11-10T23:40:56.000-08:00
🐛 Add update permission for `AWSMachinePool` finalizers as needed by `OwnerReferencesPermissionEnforcement` admission policy for setting `BlockOwnerDeletion: true` on AWSMachinePool AWSMachines
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -182,6 +182,13 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - infrastructure.cluster.x-k8s.io
+  resources:
+  - awsmachinepools/finalizers
+  verbs:
+  - delete
+  - update
 - apiGroups:
   - infrastructure.cluster.x-k8s.io
   resources:
diff --git a/controllers/awsmachine_controller.go b/controllers/awsmachine_controller.go
@@ -145,6 +145,7 @@ func (r *AWSMachineReconciler) getObjectStoreService(scope scope.S3Scope) servic
 // +kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachines,verbs=create;get;list;watch;update;patch;delete
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachines/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachinepools/finalizers,verbs=update
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines,verbs=get;list;watch;delete
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines/status,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=secrets;,verbs=get;list;watch
diff --git a/exp/controllers/awsmachinepool_controller.go b/exp/controllers/awsmachinepool_controller.go
@@ -110,6 +110,7 @@ func (r *AWSMachinePoolReconciler) getObjectStoreService(scope scope.S3Scope) se
 }
 
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachinepools,verbs=get;list;watch;update;patch;delete
+// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachinepools/finalizers,verbs=delete;update
 // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachinepools/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch;patch
 // +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ func (r *AWSMachinePoolReconciler) getObjectStoreService(scope scope.S3Scope) se`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachinepools,verbs=get;list;watch;update;patch;delete`
	`113`	`+// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachinepools/finalizers,verbs=delete;update`
`113`	`114`	`// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=awsmachinepools/status,verbs=get;update;patch`
`114`	`115`	`// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch;patch`
`115`	`116`	`// +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch`