From ab0b47ac94bbace724eb3800c27330d586170dcd Mon Sep 17 00:00:00 2001 From: Evan Cordell Date: Wed, 19 Jun 2019 13:43:49 -0400 Subject: [PATCH] fix(catalog): do not add owner references to clusterroles or crbs --- pkg/controller/operators/catalog/operator.go | 18 +++--------------- pkg/controller/registry/resolver/rbac.go | 13 +++++-------- 2 files changed, 8 insertions(+), 23 deletions(-) diff --git a/pkg/controller/operators/catalog/operator.go b/pkg/controller/operators/catalog/operator.go index 7f12205ea6..c5cb6ae480 100644 --- a/pkg/controller/operators/catalog/operator.go +++ b/pkg/controller/operators/catalog/operator.go @@ -1156,16 +1156,11 @@ func (o *Operator) ExecutePlan(plan *v1alpha1.InstallPlan) error { return errorwrap.Wrapf(err, "error parsing step manifest: %s", step.Resource.Name) } - // Update UIDs on all CSV OwnerReferences - updated, err := o.getUpdatedOwnerReferences(cr.OwnerReferences, plan.Namespace) - if err != nil { - return errorwrap.Wrapf(err, "error generating ownerrefs for clusterrole %s", cr.GetName()) - } - cr.OwnerReferences = updated - // Attempt to create the ClusterRole. _, err = o.OpClient.KubernetesInterface().RbacV1().ClusterRoles().Create(&cr) if k8serrors.IsAlreadyExists(err) { + // if we're updating, point owner to the newest csv + cr.Labels[ownerutil.OwnerKey] = step.Resolving _, err = o.OpClient.UpdateClusterRole(&cr) if err != nil { return errorwrap.Wrapf(err, "error updating clusterrole %s", cr.GetName()) @@ -1186,17 +1181,10 @@ func (o *Operator) ExecutePlan(plan *v1alpha1.InstallPlan) error { return errorwrap.Wrapf(err, "error parsing step manifest: %s", step.Resource.Name) } - // Update UIDs on all CSV OwnerReferences - updated, err := o.getUpdatedOwnerReferences(rb.OwnerReferences, plan.Namespace) - if err != nil { - return errorwrap.Wrapf(err, "error generating ownerrefs for clusterrolebinding %s", rb.GetName()) - } - rb.OwnerReferences = updated - // Attempt to create the ClusterRoleBinding. _, err = o.OpClient.KubernetesInterface().RbacV1().ClusterRoleBindings().Create(&rb) if k8serrors.IsAlreadyExists(err) { - rb.SetNamespace(plan.Namespace) + rb.Labels[ownerutil.OwnerKey] = step.Resolving _, err = o.OpClient.UpdateClusterRoleBinding(&rb) if err != nil { return errorwrap.Wrapf(err, "error updating clusterrolebinding %s", rb.GetName()) diff --git a/pkg/controller/registry/resolver/rbac.go b/pkg/controller/registry/resolver/rbac.go index 8d0608ddd9..15544df8ec 100644 --- a/pkg/controller/registry/resolver/rbac.go +++ b/pkg/controller/registry/resolver/rbac.go @@ -118,7 +118,6 @@ func RBACForClusterServiceVersion(csv *v1alpha1.ClusterServiceVersion) (map[stri if _, ok := permissions[permission.ServiceAccountName]; !ok { serviceAccount := &corev1.ServiceAccount{} serviceAccount.SetName(permission.ServiceAccountName) - ownerutil.AddNonBlockingOwner(serviceAccount, csv) permissions[permission.ServiceAccountName] = NewOperatorPermissions(serviceAccount) } @@ -126,9 +125,8 @@ func RBACForClusterServiceVersion(csv *v1alpha1.ClusterServiceVersion) (map[stri // Create ClusterRole role := &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Name: generateName(csv.GetName()), - OwnerReferences: []metav1.OwnerReference{ownerutil.NonBlockingOwner(csv)}, - Labels: ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind), + Name: generateName(csv.GetName()), + Labels: ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind), }, Rules: permission.Rules, } @@ -137,10 +135,9 @@ func RBACForClusterServiceVersion(csv *v1alpha1.ClusterServiceVersion) (map[stri // Create ClusterRoleBinding roleBinding := &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ - Name: generateName(fmt.Sprintf("%s-%s", role.GetName(), permission.ServiceAccountName)), - Namespace: csv.GetNamespace(), - OwnerReferences: []metav1.OwnerReference{ownerutil.NonBlockingOwner(csv)}, - Labels: ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind), + Name: generateName(fmt.Sprintf("%s-%s", role.GetName(), permission.ServiceAccountName)), + Namespace: csv.GetNamespace(), + Labels: ownerutil.OwnerLabel(csv, v1alpha1.ClusterServiceVersionKind), }, RoleRef: rbacv1.RoleRef{ Kind: "ClusterRole",