Add support running with OwnerReferencesPermissionEnforcement

adrianchiris · adrianchiris · commit 3f012c2d5a14 · 2025-01-08T13:44:30.000+02:00
when OwnerReferencesPermissionEnforcement validating webhook is
enabled additional permissions are required to set/update owner ref
field. NFD worker sets/updates NodeFeature owner ref field to
the worker pod and owning daemonset.

owner reference can only be updated if the worker has delete permissions
for NodeFeatures.

if owner reference has blockOwnerDeletion (as the case for the daemonset
owner reference) then it requires update permissions to the finalizers
of the owner, to avoid this, we set blockOwnerDeleteion to false for all
owners referenced from NFD worker pod when setting/updating NodeFeature
owner ref.

Signed-off-by: adrianc &lt;adrianc@nvidia.com&gt;
diff --git a/deployment/base/rbac/worker-role.yaml b/deployment/base/rbac/worker-role.yaml
@@ -11,6 +11,7 @@ rules:
   - create
   - get
   - update
+  - delete
 - apiGroups:
   - ""
   resources:
diff --git a/deployment/helm/node-feature-discovery/templates/role.yaml b/deployment/helm/node-feature-discovery/templates/role.yaml
@@ -15,6 +15,7 @@ rules:
   - create
   - get
   - update
+  - delete
 - apiGroups:
   - ""
   resources:
diff --git a/pkg/nfd-worker/nfd-worker.go b/pkg/nfd-worker/nfd-worker.go
@@ -37,6 +37,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 	k8sclient "k8s.io/client-go/kubernetes"
 	"k8s.io/klog/v2"
+	"k8s.io/utils/ptr"
 	klogutils "sigs.k8s.io/node-feature-discovery/pkg/utils/klog"
 	"sigs.k8s.io/yaml"
 
@@ -280,7 +281,10 @@ func (w *nfdWorker) setOwnerReference() error {
 				klog.ErrorS(err, "failed to get self pod, cannot inherit ownerReference for NodeFeature")
 				return err
 			} else {
-				ownerReference = append(ownerReference, selfPod.OwnerReferences...)
+				for _, owner := range selfPod.OwnerReferences {
+					owner.BlockOwnerDeletion = ptr.To(false)
+					ownerReference = append(ownerReference, owner)
+				}
 			}
 
 			podUID := os.Getenv("POD_UID")
diff --git a/test/e2e/utils/rbac.go b/test/e2e/utils/rbac.go
@@ -227,7 +227,7 @@ func createRoleWorker(ctx context.Context, cs clientset.Interface, ns string) (*
 			{
 				APIGroups: []string{"nfd.k8s-sigs.io"},
 				Resources: []string{"nodefeatures"},
-				Verbs:     []string{"create", "get", "update"},
+				Verbs:     []string{"create", "get", "update", "delete"},
 			},
 			{
 				APIGroups: []string{""},

Original file line number	Diff line number	Diff line change
`@@ -227,7 +227,7 @@ func createRoleWorker(ctx context.Context, cs clientset.Interface, ns string) (*`
`227`	`227`	`{`
`228`	`228`	`APIGroups: []string{"nfd.k8s-sigs.io"},`
`229`	`229`	`Resources: []string{"nodefeatures"},`
`230`		`- Verbs: []string{"create", "get", "update"},`
	`230`	`+ Verbs: []string{"create", "get", "update", "delete"},`
`231`	`231`	`},`
`232`	`232`	`{`
`233`	`233`	`APIGroups: []string{""},`