Merge pull request #42 from appuio/fix/namespace-owner-reference

glrf · web-flow · commit 734955ad9bf7 · 2022-11-03T09:11:19.000+01:00
Fix permission to be able to set owner references
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -20,6 +20,12 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces/finalizers
+  verbs:
+  - update
 - apiGroups:
   - ""
   resources:
diff --git a/controllers/org_rbac_controller.go b/controllers/org_rbac_controller.go
@@ -37,6 +37,9 @@ const LabelRoleBindingUninitialized = "appuio.io/uninitialized"
 //+kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;patch;update
 //+kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 
+// We don't actually want or need to set finalizers, but if "OwnerReferencesPermissionEnforcement" is enabled we need this permission to set an owner reference to a namespace
+//+kubebuilder:rbac:groups="",resources=namespaces/finalizers,verbs=update
+
 // Reconcile makes sure the role bindings for the configured cluster roles are present in every organization namespace.
 // It will also update role bindings with the label "appuio.io/uninitialized": "true" to the default config.
 func (r *OrganizationRBACReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
@@ -100,8 +103,7 @@ func (r *OrganizationRBACReconciler) putRoleBinding(ctx context.Context, ns core
 			}
 			delete(rb.Labels, LabelRoleBindingUninitialized)
 		}
-		controllerutil.SetControllerReference(&ns, rb, r.Scheme)
-		return nil
+		return controllerutil.SetControllerReference(&ns, rb, r.Scheme)
 	})
 
 	return err
