Skip to content

Commit

Permalink
Add permission to update namespaces/finalizer to webhook cluster role (
Browse files Browse the repository at this point in the history
…knative-extensions#1000)

(similar to knative/eventing#5501)

This patch adds the permission to update `namespaces/finalizers`.

Since knative/pkg#2098 added ownerRef refers to namespace for webhook,
we need this permission. Without it, cluster which has a stricter RBAC
rules gets the following error:

```
cannot set blockOwnerDeletion if an ownerReference refers to a resource
you can't set finalizers on ...
```

Signed-off-by: Pierangelo Di Pilato <[email protected]>
  • Loading branch information
pierDipi authored and slinkydeveloper committed Jun 18, 2021
1 parent a6ff152 commit e0349b1
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions control-plane/config/sink/100-webhook-cluster-role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,12 @@ rules:
resources:
- "leases"
verbs: *everything

# finalizers are needed for the owner reference of the webhook
- apiGroups:
- ""
resources:
- "namespaces/finalizers"
verbs:
- "update"

0 comments on commit e0349b1

Please sign in to comment.