Give replicaset controller patch permission on pods #39961
Conversation
Needed for AdoptPod/ReleasePod
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
|
The deployment controller probably needs PATCH for replica sets too |
For the same reason with why you update here |
k8s-github-robot
added
size/XS
@Kargakis I'd rather see how #36897 is resolved first... I don't think patching in controller refs is a great model to follow. Replicationcontrollers and replicasets are already using the patch method, so we can't break that, but I don't want to propagate it. |
This is unrelated to #36897. We have already added "server-side" deletion for Deployments which means we patch replica sets in the deployment controller in master but I don't see the controller having the permission to do so and I am wondering how the e2e tests work cc: @caesarxuchao @krmayankk |
|
Huh, I didn't dig into why (it already had update and delete), but I saw this too: #39963 |
|
ok, if it's already in use :-/ |
|
How troublesome is permission reconcilation (removals specifically) ? |
They will never happen automatically and will realistically never be run. |
We'd likely never do it automatically on upgrade. It would probably be manual, which means it probably would rarely actually happen. |
|
I agree |
liggitt
added
release-note-none
deads2k
added
the
lgtm
|
Automatic merge from submit-queue |
Needed for AdoptPod/ReleasePod
Fixes denials seen in autoscaling test log:
RBAC DENY: user "system:serviceaccount:kube-system:replicaset-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "patch" on "pods./"