fix(deployment): the viewer controller does not work because of missing permissions

[juliusvonkohout]

Description of your changes:

Because of

pipelines/backend/src/crd/controller/viewer/reconciler/reconciler.go

Line 114 in b7fd47f

// Set the deployment to be owned by the view instance. This ensures that

the controller must be able to set finalizers on viewers.

otherwise you will get errors similar to

I1110 15:54:53.322352       1 reconciler.go:75] Reconcile request: dev-1/viewer-f517727e9516176c0e181234afcf45c8cfdf1735
I1110 15:54:53.327982       1 reconciler.go:87] Got instance: &{TypeMeta:{Kind: APIVersion:} ObjectMeta:{Name:viewer-f517727e9516176c0e181234afcf45c8cfdf1735 GenerateName: Namespace:dev-1 SelfLink:/apis/kubeflow.org/v1beta1/namespaces/dev-1/viewers/viewer-f517727e9516176c0e181234afcf45c8cfdf1735 UID:1b80573e-7b0b-4a22-84d0-d9f8e48daf96 ResourceVersion:206118893 Generation:1 CreationTimestamp:2021-11-10 15:54:42 +0000 UTC DeletionTimestamp:<nil> DeletionGracePeriodSeconds:<nil> Labels:map[] Annotations:map[] OwnerReferences:[] Finalizers:[] ClusterName: ManagedFields:[{Manager:unknown Operation:Update APIVersion:kubeflow.org/v1beta1 Time:2021-11-10 15:54:42 +0000 UTC FieldsType:FieldsV1 FieldsV1:{"f:spec":{".":{},"f:podTemplateSpec":{".":{},"f:spec":{".":{},"f:containers":{},"f:serviceAccountName":{}}},"f:tensorboardSpec":{".":{},"f:logDir":{},"f:tensorflowImage":{}},"f:type":{}}}}]} Spec:{Type:tensorboard TensorboardSpec:{LogDir:s3://mlpipeline/tensorboard/logs/84c4c5b8-e15f-425d-bcba-8351bab49e2a TensorflowImage:mtr.external.otc.telekomcloud.com/kubeflow/tensorboard:latest} PodTemplateSpec:{ObjectMeta:{Name: GenerateName: Namespace: SelfLink: UID: ResourceVersion: Generation:0 CreationTimestamp:0001-01-01 00:00:00 +0000 UTC DeletionTimestamp:<nil> DeletionGracePeriodSeconds:<nil> Labels:map[] Annotations:map[] OwnerReferences:[] Finalizers:[] ClusterName: ManagedFields:[]} Spec:{Volumes:[] InitContainers:[] Containers:[{Name: Image: Command:[] Args:[] WorkingDir: Ports:[] EnvFrom:[] Env:[{Name:AWS_ACCESS_KEY_ID Value: ValueFrom:&EnvVarSource{FieldRef:nil,ResourceFieldRef:nil,ConfigMapKeyRef:nil,SecretKeyRef:&SecretKeySelector{LocalObjectReference:LocalObjectReference{Name:mlpipeline-minio-artifact,},Key:accesskey,Optional:nil,},}} {Name:AWS_SECRET_ACCESS_KEY Value: ValueFrom:&EnvVarSource{FieldRef:nil,ResourceFieldRef:nil,ConfigMapKeyRef:nil,SecretKeyRef:&SecretKeySelector{LocalObjectReference:LocalObjectReference{Name:mlpipeline-minio-artifact,},Key:secretkey,Optional:nil,},}} {Name:AWS_REGION Value:minio ValueFrom:nil} {Name:S3_ENDPOINT Value:http://minio-service.kubeflow:9000 ValueFrom:nil} {Name:S3_USE_HTTPS Value:0 ValueFrom:nil} {Name:S3_VERIFY_SSL Value:0 ValueFrom:nil}] Resources:{Limits:map[] Requests:map[]} VolumeMounts:[] VolumeDevices:[] LivenessProbe:nil ReadinessProbe:nil StartupProbe:nil Lifecycle:nil TerminationMessagePath: TerminationMessagePolicy: ImagePullPolicy: SecurityContext:nil Stdin:false StdinOnce:false TTY:false}] EphemeralContainers:[] RestartPolicy: TerminationGracePeriodSeconds:<nil> ActiveDeadlineSeconds:<nil> DNSPolicy: NodeSelector:map[] ServiceAccountName:default-viewer DeprecatedServiceAccount: AutomountServiceAccountToken:<nil> NodeName: HostNetwork:false HostPID:false HostIPC:false ShareProcessNamespace:<nil> SecurityContext:nil ImagePullSecrets:[] Hostname: Subdomain: Affinity:nil SchedulerName: Tolerations:[] HostAliases:[] PriorityClassName: Priority:<nil> DNSConfig:nil ReadinessGates:[] RuntimeClassName:<nil> EnableServiceLinks:<nil> PreemptionPolicy:<nil> Overhead:map[] TopologySpreadConstraints:[] SetHostnameAsFQDN:<nil>}}}}
E1110 15:54:53.336770       1 reconciler.go:128] error creating deployment: deployments.apps "viewer-f517727e9516176c0e181234afcf45c8cfdf1735-deployment" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>

@Bobgy my image works with tensorboard 2.7 not only 2.3. If you use a standalone Tensorboard it does use its own s3 implementation via boto3 and you do not need workarounds for tensorflow s3 support with tensowflow-io imports.

Checklist:

• The title for your pull request (PR) should follow our title convention. Learn more about the pull request title convention used in this repository.

[google-oss-prow]

Hi @juliusvonkohout. Thanks for your PR.

I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Bobgy]

/lgtm

[zijianjoy]

/approve

Thank you so much!

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: zijianjoy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• manifests/kustomize/OWNERS [zijianjoy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment