Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add patch verb for persistentvolumes resources in the external-provisioner-runner clusterrole #1155

Merged

Conversation

carlory
Copy link
Member

@carlory carlory commented Feb 6, 2024

What type of PR is this?

/kind bug

What this PR does / why we need it:

the feature-gate HonorPVReclaimPolicy is enabled, create a pvc with a delete relaim policy, then delete the pvc, the pv stuck in deleting status, the error message is:

csi-mockplugin-0/csi-provisioner@kind..lane: I0206 11:08:41.536819       1 controller.go:1523] delete "pvc-e4b6e20e-4d77-4bf0-8d96-9f47212e4b38": failed to remove finalizer for persistentvolume: persistentvolumes "pvc-e4b6e20e-4d77-4bf0-8d96-9f47212e4b38" is forbidden: User "system:serviceaccount:csi-mock-honor-pv-reclaim-policy-99-996:csi-mock" cannot update resource "persistentvolumes" in API group "" at the cluster scope: RBAC: [clusterrole.rbac.authorization.k8s.io "cluster-driver-registrar-runner-csi-mock-honor-pv-reclaim-policy-99" not found, clusterrole.rbac.authorization.k8s.io "e2e-test-privileged-psp" not found]
csi-mockplugin-0/csi-provisioner@kind..lane: W0206 11:08:41.536850       1 controller.go:989] Retrying syncing volume "pvc-e4b6e20e-4d77-4bf0-8d96-9f47212e4b38", failure 0
csi-mockplugin-0/csi-provisioner@kind..lane: E0206 11:08:41.536880       1 controller.go:1007] error syncing volume "pvc-e4b6e20e-4d77-4bf0-8d96-9f47212e4b38": persistentvolumes "pvc-e4b6e20e-4d77-4bf0-8d96-9f47212e4b38" is forbidden: User "system:serviceaccount:csi-mock-honor-pv-reclaim-policy-99-996:csi-mock" cannot update resource "persistentvolumes" in API group "" at the cluster scope: RBAC: [clusterrole.rbac.authorization.k8s.io "cluster-driver-registrar-runner-csi-mock-honor-pv-reclaim-policy-99" not found, clusterrole.rbac.authorization.k8s.io "e2e-test-privileged-psp" not found]
I0206 19:08:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Action required: the external-provisioner now needs permissions to patch persistentvolumes. Please update your RBACs appropriately. See the linked pull request for an example.  

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 6, 2024
@carlory
Copy link
Member Author

carlory commented Feb 6, 2024

/cc @deepakkinni @xing-yang

@xing-yang
Copy link
Contributor

To add a new RBAC rule, we need to bump the major version.

@xing-yang
Copy link
Contributor

To add a new RBAC rule, we need to bump the major version.

I think we should probably do this following the K8s 1.30 release.

@msau42
Copy link
Collaborator

msau42 commented Mar 8, 2024

Can we use patch instead of update?

@carlory
Copy link
Member Author

carlory commented Mar 11, 2024

Can we use patch instead of update?

cc @deepakkinni

@deepakkinni
Copy link
Member

Can we use patch instead of update?

Unfortunately, we use update https://github.com/kubernetes-sigs/sig-storage-lib-external-provisioner/blob/master/controller/controller.go#L1322-L1328

Having read about Patch now, I do see its benefits. Would you prefer if we switched out the update to patch?

@xing-yang
Copy link
Contributor

Yes, try to switch to patch, please.

@carlory carlory force-pushed the fix-rbac-for-honor-reclaim-policy branch from 305ad97 to c597852 Compare March 14, 2024 09:11
@carlory carlory changed the title add update verb for persistentvolumes resources in the external-provisioner-runner clusterrole add patch verb for persistentvolumes resources in the external-provisioner-runner clusterrole Mar 14, 2024
@carlory
Copy link
Member Author

carlory commented Mar 14, 2024

/hold

Waiting for kubernetes-sigs/sig-storage-lib-external-provisioner#164 merged.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 14, 2024
@xing-yang
Copy link
Contributor

Can you change from "update verb" to "patch verb" in the release note?

@carlory
Copy link
Member Author

carlory commented Mar 28, 2024

@xing-yang updated.

@deepakkinni
Copy link
Member

/approve

@xing-yang
Copy link
Contributor

@carlory Can we cancel the hold?

@xing-yang
Copy link
Contributor

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 24, 2024
@xing-yang
Copy link
Contributor

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 24, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: carlory, deepakkinni, xing-yang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 24, 2024
@carlory
Copy link
Member Author

carlory commented Apr 24, 2024

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 24, 2024
@carlory
Copy link
Member Author

carlory commented Apr 24, 2024

we need to bump the vendor

@carlory
Copy link
Member Author

carlory commented Apr 24, 2024

cc @xing-yang

@carlory
Copy link
Member Author

carlory commented Apr 24, 2024

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 24, 2024
@k8s-ci-robot k8s-ci-robot merged commit bf36bc2 into kubernetes-csi:master Apr 24, 2024
8 checks passed
@k8s-ci-robot k8s-ci-robot added release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. and removed release-note Denotes a PR that will be considered when it comes time to generate release notes. labels May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants