Allow controller service account to update finalizers #2816
Conversation
In clusters where the OwnerReferencesPermissionEnforcement admission controller is enabled, the agones-controller service account needs to have access to update finalizers on fleets, gameserversets, and gameservers. Closes googleforgames#1740
|
Build Succeeded 👏 Build Id: 8271a5f5-2d78-45d1-a512-03c0f2a2b62f The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
|
@thoraxe it's been a while, but does this fix look good to you? I figure you handle this more than we do 😃 |
|
One thing I also realised - I'm fairly sure we only use finalizers on a |
When testing, I saw the same error when creating Fleets and GameServerSets but let me double-check! |
|
But yeah - otherwise, no issues on my end with the change. |
|
I just double-checked and all the new privileges will be needed from what I can tell. The owner references and finalizers begin at Pod and end at Fleet. Here's a link to more reference that's much to share in this comment :) https://gist.github.com/bostrt/aaf11005e72ec7456cf6b568653f38de ### POD
$ oc get pod simple-game-server-nwfq2-b74cn -o yaml | yq '.kind,.metadata.finalizers,.metadata.ownerReferences'
Pod
null
- apiVersion: agones.dev/v1
blockOwnerDeletion: true
controller: true
kind: GameServer
name: simple-game-server-nwfq2-b74cn
uid: cfe872cb-e221-4f68-890c-2b81d1eff6ac
### GAMESERVER
$ oc get gs simple-game-server-nwfq2-n756t -o yaml | yq '.kind,.metadata.finalizers,.metadata.ownerReferences'
GameServer
- agones.dev
- apiVersion: agones.dev/v1
blockOwnerDeletion: true
controller: true
kind: GameServerSet
name: simple-game-server-nwfq2
uid: 340d0fe1-8c71-4442-b7c1-fdf235fc7088
### GAMESERVERSET
$ oc get gss simple-game-server-nwfq2 -o yaml | yq '.kind,.metadata.finalizers,.metadata.ownerReferences'
GameServerSet
null
- apiVersion: agones.dev/v1
blockOwnerDeletion: true
controller: true
kind: Fleet
name: simple-game-server
uid: 4b3f1b14-9e5f-4e31-aabe-3627142ec52b
### FLEET
$ oc get fleet simple-game-server -o yaml | yq '.kind,.metadata.finalizers,.metadata.ownerReferences'
Fleet
null
null |
|
Oh interesting! It's all about the @thoraxe if you have a chance to take a look and confirm this is good, that would be awesome, otherwise we can merge as is I think 👍🏻 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bostrt, roberthbailey The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
New changes are detected. LGTM label has been removed. |
|
Build Succeeded 👏 Build Id: e803f2fa-1ad1-4c81-bd9d-b361b4672aa3 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
|
I'm not sure I'm smart enough/knowledgeable enough to chime in. If this PR causes the reproducer to work, then I'm satisfied, for whatever that's worth! |
What type of PR is this?
/kind bug
What this PR does / Why we need it:
In clusters where the OwnerReferencesPermissionEnforcement admission controller is enabled, the agones-controller service account needs to have access to update finalizers on fleets, gameserversets, and gameservers.
Which issue(s) this PR fixes:
Closes #1740
Special notes for your reviewer:
I'm not sure if this is the fix you are looking for in regards to #1740 but it works great for me on OpenShift 4.11.