Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add permission to update namespaces/finalizers #11517

Merged
merged 6 commits into from
Jun 15, 2021
Merged

Add permission to update namespaces/finalizers #11517

merged 6 commits into from
Jun 15, 2021

Conversation

nak3
Copy link
Contributor

@nak3 nak3 commented Jun 14, 2021

This patch adds the permission to update namespaces/finalizers.

Since knative/pkg#2098 added ownerRef refers to namespace for webhook,
we need this permission. Without it, cluster which has a stricter RBAC
rules gets the following error:

cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on:

/cc @markusthoemmes @julz @dprotaso

Release Note

knative-serving-core cluster role has update permission for namespaces/finalizers.

@knative-prow-robot knative-prow-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 14, 2021
@google-cla google-cla bot added the cla: yes Indicates the PR's author has signed the CLA. label Jun 14, 2021
@knative-prow-robot knative-prow-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 14, 2021
@codecov
Copy link

codecov bot commented Jun 14, 2021
edited
Loading

Codecov Report

Merging #11517 (d8dd3b2) into main (f777f7c) will increase coverage by 0.00%.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main   #11517   +/-   ##
=======================================
  Coverage   87.75%   87.76%           
=======================================
  Files         191      191           
  Lines        9262     9269    +7     
=======================================
+ Hits         8128     8135    +7     
+ Misses        882      881    -1     
- Partials      252      253    +1
Impacted Files Coverage Δ
pkg/autoscaler/statforwarder/leases.go 76.97% <0.00%> (-1.44%) ⬇️
pkg/reconciler/route/traffic/traffic.go 92.92% <0.00%> (+0.14%) ⬆️
pkg/reconciler/route/route.go 79.69% <0.00%> (+0.31%) ⬆️
pkg/autoscaler/scaling/multiscaler.go 89.09% <0.00%> (+1.81%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f777f7c...d8dd3b2. Read the comment docs.

@nak3
Copy link
Contributor Author

nak3 commented Jun 14, 2021

/test pull-knative-serving-upgrade-tests

@matzew matzew mentioned this pull request Jun 14, 2021
Merged
5 tasks
@nak3
Copy link
Contributor Author

nak3 commented Jun 14, 2021

Umm... Updating clusterrole makes diff and failed 🤔

Jun 14 07:15:31.187 install_latest_release [OUT] kapp: Error: Applying update clusterrole/knative-serving-admin (rbac.authorization.k8s.io/v1) cluster:
Jun 14 07:15:31.188 install_latest_release [OUT]   Failed to update due to resource conflict (approved diff no longer matches):
Jun 14 07:15:31.188 install_latest_release [OUT]     Updating resource clusterrole/knative-serving-admin (rbac.authorization.k8s.io/v1) cluster:
Jun 14 07:15:31.188 install_latest_release [OUT]       Operation cannot be fulfilled on clusterroles.rbac.authorization.k8s.io "knative-serving-admin": the object has been modified; please apply your changes to the latest version and try again (reason: Conflict)
Jun 14 07:15:31.208 install_latest_release [OUT] ERROR: failed to setup knative

@nak3
Add permission to update namespace finalizer
5c3b6c5 
This patch adds the permission to update `namespaces/finalizers`.

Since knative/pkg#2098 added ownerRef refers to namespace for webhook,
we need the permission. Without it, cluster which has a stricter RBAC
rules gets the following error:

```
cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on:
```
@nak3
Copy link
Contributor Author

nak3 commented Jun 14, 2021
edited
Loading

Probably we need a similar workaround with carvel-dev/kapp#213 🤔

@knative-prow-robot knative-prow-robot added the area/test-and-release It flags unit/e2e/conformance/perf test issues for product features label Jun 14, 2021
@nak3 nak3 added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 14, 2021
@nak3
Copy link
Contributor Author

nak3 commented Jun 14, 2021

The upgrade test passed this time, but it will be flake until carvel-dev/kapp#227 was fixed.

@knative-prow-robot knative-prow-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 14, 2021
dprotaso
dprotaso reviewed Jun 15, 2021
View reviewed changes
test/e2e-common.sh Outdated Show resolved Hide resolved
@nak3
Copy link
Contributor Author

nak3 commented Jun 15, 2021

The upgrade test passed this time, but it will be flake until carvel-dev/kapp#227 was fixed.

This could be fixed by adding kapp config.

markusthoemmes
markusthoemmes reviewed Jun 15, 2021
View reviewed changes
test/e2e-common.sh Outdated
@@ -288,7 +288,6 @@ function install() {
> "${ytt_result}" \
|| fail_test "failed to create deployment configuration"


Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Total nit: Can we drop this unnecessary change? LGTM otherwise.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! updated.

markusthoemmes
markusthoemmes approved these changes Jun 15, 2021
View reviewed changes
Copy link
Contributor

@markusthoemmes markusthoemmes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@knative-prow-robot knative-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Jun 15, 2021
@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: markusthoemmes, nak3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@nak3 nak3 removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 15, 2021
@knative-prow-robot knative-prow-robot merged commit cd8839f into knative:main Jun 15, 2021
@nak3 nak3 deleted the add-finalizer branch December 3, 2021 05:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dprotaso dprotaso dprotaso left review comments

@markusthoemmes markusthoemmes markusthoemmes approved these changes

@julz julz Awaiting requested review from julz

Assignees

@markusthoemmes markusthoemmes

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test-and-release It flags unit/e2e/conformance/perf test issues for product features cla: yes Indicates the PR's author has signed the CLA. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nak3 @knative-prow-robot @dprotaso @markusthoemmes