Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

workload controllers can't create resources with GC admission on #51970

Closed
deads2k opened this issue Sep 5, 2017 · 1 comment · Fixed by #49133
Closed

workload controllers can't create resources with GC admission on #51970

deads2k opened this issue Sep 5, 2017 · 1 comment · Fixed by #49133
Assignees
@deads2k
Labels
needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one.

Comments

@deads2k
Copy link
Contributor

deads2k commented Sep 5, 2017

owner ref admission checks permissions to decide if an ownerref is legal. No controller has those permissions, so they can't create the resources they need to.
@deads2k deads2k self-assigned this Sep 5, 2017
@deads2k deads2k mentioned this issue Sep 5, 2017
Merged
@k8s-github-robot
Copy link

@deads2k
There are no sig labels on this issue. Please add a sig label by:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <label>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. You can find the group list here and label list here.
The <group-suffix> in the method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

@k8s-github-robot k8s-github-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Sep 5, 2017
k8s-github-robot pushed a commit that referenced this issue Sep 6, 2017
Merge pull request #49133 from deads2k/gc-02-permissions
0ed05f2 
Automatic merge from submit-queue (batch tested with PRs 49133, 51557, 51749, 50842, 52018)

add controller permissions to set blockOwnerDeletion

fixes #51970

`blockOwnerDeletion` requires delete permissions on the owner object.  This adds that permission for our controllers.

@kubernetes/sig-auth-misc 

```release-note
The OwnerReferencesPermissionEnforcement admission plugin now requires `update` permission on the `finalizers` subresource of the referenced owner in order to set `blockOwnerDeletion` on an owner reference.
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@deads2k deads2k

Labels
needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add controller permissions to set blockOwnerDeletion deads2k/kubernetes
2 participants
@deads2k @k8s-github-robot