From 6f05e85cce1ff82fd832a2444c158044c63ec27c Mon Sep 17 00:00:00 2001 From: Alex Kalenyuk Date: Thu, 19 Dec 2024 15:38:09 +0200 Subject: [PATCH] Add PV patch RBAC for external provisioner sidecar (#546) For newer versions of the sidecar, this is needed to achieve PV finalizer orchestration. ``` E1219 13:01:22.150741 1 controller.go:1025] error syncing volume "pvc-45bfe11e-d5e3-4275-8df0-652f84de15a7": persistentvolumes "pvc-45bfe11e-d5e3-4275-8df0-652f84de15a7" is forbidden: User "system:serviceaccount:openshift-cnv:hostpath-provisioner-admin-csi" cannot patch resource "persistentvolumes" in API group "" at the cluster scope ``` Signed-off-by: Alex Kalenyuk --- deploy/operator.yaml | 1 + pkg/controller/hostpathprovisioner/controller_test.go | 1 + pkg/controller/hostpathprovisioner/rbac.go | 1 + tools/helper/cluster_role_generated.go | 1 + 4 files changed, 4 insertions(+) diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 5722dcd0b..0329b04f5 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -18,6 +18,7 @@ rules: - watch - create - delete + - patch - apiGroups: - "" resources: diff --git a/pkg/controller/hostpathprovisioner/controller_test.go b/pkg/controller/hostpathprovisioner/controller_test.go index de64c9476..fe009f9cb 100644 --- a/pkg/controller/hostpathprovisioner/controller_test.go +++ b/pkg/controller/hostpathprovisioner/controller_test.go @@ -732,6 +732,7 @@ func verifyCreateCSIClusterRole(cl client.Client, enableSnapshot bool) { "watch", "create", "delete", + "patch", }, }, { diff --git a/pkg/controller/hostpathprovisioner/rbac.go b/pkg/controller/hostpathprovisioner/rbac.go index 82c79ff72..d462d6818 100644 --- a/pkg/controller/hostpathprovisioner/rbac.go +++ b/pkg/controller/hostpathprovisioner/rbac.go @@ -250,6 +250,7 @@ func (r *ReconcileHostPathProvisioner) createCsiClusterRoleObjectProvisioner(cr "watch", "create", "delete", + "patch", }, }, { diff --git a/tools/helper/cluster_role_generated.go b/tools/helper/cluster_role_generated.go index 16f0b0ce2..b387fb700 100644 --- a/tools/helper/cluster_role_generated.go +++ b/tools/helper/cluster_role_generated.go @@ -18,6 +18,7 @@ rules: - watch - create - delete + - patch - apiGroups: - "" resources: