Skip to content

Commit

Permalink
Add permission to update namespaces/finalizer to webhook cluster role
Browse files Browse the repository at this point in the history
(similar to knative/eventing#5501)

This patch adds the permission to update `namespaces/finalizers`.

Since knative/pkg#2098 added ownerRef refers to namespace for webhook,
we need this permission. Without it, cluster which has a stricter RBAC
rules gets the following error:

```
cannot set blockOwnerDeletion if an ownerReference refers to a resource
you can't set finalizers on ...
```

Signed-off-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>
  • Loading branch information
pierDipi committed Jun 15, 2021
1 parent 51b075d commit bdb314e
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions control-plane/config/sink/100-webhook-cluster-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,12 @@ rules:
resources:
- "leases"
verbs: *everything

# finalizers are needed for the owner reference of the webhook
- apiGroups:
- ""
resources:
- "namespaces/finalizers"
verbs:
- "update"

0 comments on commit bdb314e

Please sign in to comment.