is there a related issue, or is this only with an admission plugin enabled?

is there a related issue, or is this only with an admission plugin enabled?

Only when its enabled. We need to enable it for e2e tests, but I think I'd do that separately.

blocking deletion of the owning object seems like it should require finalization permissions on the owning object more than deletion permissions

this would be a great use case for a consistent finalizers subresource on objects we could require update permissions on, require GC-related operations to go through, etc.

blocking deletion of the owning object seems like it should require finalization permissions on the owning object more than deletion permissions

sgtm.

@deads2k It looks like we haven't enabled the OwnerReferencesPermissionEnforcement admission plugin.Otherwise the missing permissions would had causing problems already. Shall we enable the plugin by default?

/lgtm

Adding do-not-merge because the release note process has not been followed.
One of the following labels is required "release-note", "release-note-action-required", "release-note-experimental" or "release-note-none".
Please see: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/pull-requests.md#release-notes.

Adding do-not-merge/release-note-label-needed because the release note process has not been followed.
One of the following labels is required "release-note", "release-note-action-required", "release-note-experimental" or "release-note-none".
Please see: https://github.com/kubernetes/community/blob/master/contributors/devel/pull-requests.md#write-release-notes-if-needed.

I really don't want to give delete permissions to controllers that don't need them, simply so they can pass a synthetic permissions check for this admission plugin. Long-term, I'd like to see a consistent finalizers subresource that finalization operations go through. In the short-term, I'd rather see this do an authorization check of update permissions on a hypothetical finalizers subresource, and give that permission to the controllers.

strawman release note:

The OwnerReferencesPermissionEnforcement admission plugin now requires update permission on the finalizers subresource of the referenced owner in order to set blockOwnerDeletion=true

@liggitt updated to use update on <resource>/finalizers

/retest

/retest

this lgtm. @caesarxuchao, any final comments?

relatedly, can you open a doc PR for this admission plugin? kubernetes/website#3588 noted we were missing documentation for it

The design and code lgtm. I'm concerned whether it's backward incompatible. I guess it breaks existing users that set blockOwnerDeletion, since no one has permission to update the finalizer subresources.

Only if you enable this admission plugin, and if you did that, all your existing controllers were broken already. Given that there was no documentation around this plug-in, and of the default policy did not work with it, I doubt there are any existing users. I think a release noted change is sufficient

Makes sense. LGTM.

/retest

/approve

Tagging per comments

/approve

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: caesarxuchao, deads2k, derekwaynecarr

Associated issue: 51970

The full list of commands accepted by this bot can be found here.

/test all [submit-queue is verifying that this PR is safe to merge]

/retest

Automatic merge from submit-queue (batch tested with PRs 49133, 51557, 51749, 50842, 52018)

@deads2k: The following tests failed, say /retest to rerun them all:

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.