Add RBAC permissions for finalizers (#1458)

Signed-off-by: hossainemruz <[email protected]>

Makefile

@@ -489,5 +489,9 @@ push-to-kind: container
 	@kind load docker-image $(REGISTRY)/stash:$(TAG)
 	@echo "Image has been pushed successfully into kind cluster."
 
+restart:
+	@echo "Restarting operator pod....."
+	kubectl delete pod -n $(KUBE_NAMESPACE) -l 'app.kubernetes.io/name=stash-community,app.kubernetes.io/instance=stash'
+
 .PHONY: deploy-to-kind
 deploy-to-kind: uninstall push-to-kind install

hack/kubernetes/kind.yaml

@@ -4,10 +4,7 @@ nodes:
   - role: control-plane
     kubeadmConfigPatches:
       - |
-        apiVersion: kubeadm.k8s.io/v1beta2
         kind: ClusterConfiguration
-        metadata:
-          name: config
         apiServer:
           extraArgs:
             enable-admission-plugins: "NodeRestriction,OwnerReferencesPermissionEnforcement"

pkg/controller/backup_session.go

@@ -440,7 +440,7 @@ func (c *StashController) ensureBackupJob(inv invoker.BackupInvoker, targetInfo
 		c.kubeClient,
 		jobMeta,
 		func(in *batchv1.Job) *batchv1.Job {
-			// set BackupSession as owner of this Job so that the it get cleaned automatically
+			// set BackupSession as owner of this Job so that it get cleaned automatically
 			// when the BackupSession gets deleted according to backupHistoryLimit
 			core_util.EnsureOwnerReference(&in.ObjectMeta, ownerBackupSession)
 			// pass offshoot labels to job's pod
@@ -528,7 +528,7 @@ func (c *StashController) ensureVolumeSnapshotterJob(inv invoker.BackupInvoker,
 		c.kubeClient,
 		jobMeta,
 		func(in *batchv1.Job) *batchv1.Job {
-			// set BackupSession as owner of this Job so that the it get cleaned automatically
+			// set BackupSession as owner of this Job so that it get cleaned automatically
 			// when the BackupSession gets deleted according to backupHistoryLimit
 			core_util.EnsureOwnerReference(&in.ObjectMeta, ownerBackupSession)
 

pkg/rbac/sidecar.go

@@ -74,19 +74,29 @@ func (opt *RBACOptions) ensureSidecarClusterRole() error {
 			},
 			{
 				APIGroups: []string{apps.GroupName},
-				Resources: []string{"deployments", "statefulsets"},
+				Resources: []string{"deployments", "statefulsets", "daemonsets", "replicasets"},
 				Verbs:     []string{"get", "list", "patch"},
 			},
 			{
 				APIGroups: []string{apps.GroupName},
-				Resources: []string{"daemonsets", "replicasets"},
-				Verbs:     []string{"get", "list", "patch"},
+				Resources: []string{
+					"deployments/finalizers",
+					"statefulsets/finalizers",
+					"daemonsets/finalizers",
+					"replicasets/finalizers",
+				},
+				Verbs: []string{"update"},
 			},
 			{
 				APIGroups: []string{core.GroupName},
 				Resources: []string{"replicationcontrollers"},
 				Verbs:     []string{"get", "list", "patch"},
 			},
+			{
+				APIGroups: []string{core.GroupName},
+				Resources: []string{"replicationcontrollers/finalizers"},
+				Verbs:     []string{"update"},
+			},
 			{
 				APIGroups: []string{core.GroupName},
 				Resources: []string{"secrets", "pods"},
@@ -127,6 +137,16 @@ func (opt *RBACOptions) ensureSidecarClusterRole() error {
 				Resources: []string{"leases"},
 				Verbs:     []string{"*"},
 			},
+			{
+				APIGroups: []string{"apps.openshift.io"},
+				Resources: []string{"deploymentconfigs"},
+				Verbs:     []string{"get", "list", "patch"},
+			},
+			{
+				APIGroups: []string{"apps.openshift.io"},
+				Resources: []string{"deploymentconfigs/finalizers"},
+				Verbs:     []string{"update"},
+			},
 		}
 		return in
 	}, metav1.PatchOptions{})