fix: add deployments/finalizers RBAC marker for AgentCardSync controller#240
fix: add deployments/finalizers RBAC marker for AgentCardSync controller#240Bobbins228 wants to merge 2 commits intokagenti:mainfrom
Conversation
Kubernetes requires update permission on apps/deployments/finalizers
when blockOwnerDeletion=true is set on ownerReferences. The +kubebuilder:rbac
marker was missing from agentcardsync_controller.go, causing controller-gen
to omit the rule from config/rbac/role.yaml. This caused a hard RBAC denial
on every reconcile loop on HyperShift/ROSA clusters.
Fixes RHAIENG-3819
Assisted-By: Claude
Made-with: Cursor
Signed-off-by: Bobbins228 <mcampbel@redhat.com>
Bobbins228
force-pushed
the
fix/deployments-finalizers-rbac-RHAIENG-3819
branch
from
ca73b26 to
9f2c89b
Compare
r3v5
left a comment
r3v5
left a comment
There was a problem hiding this comment.
Great work, Mark! Should we do the same for statefulsets/finalizers ?
…ller
The AgentCardSync controller reconciles both Deployments and StatefulSets,
calling controllerutil.SetControllerReference (blockOwnerDeletion: true) for
both. Kubernetes requires statefulsets/finalizers:update to set
blockOwnerDeletion on a StatefulSet owner — enforced as a hard denial on
HyperShift/ROSA. Adds the missing +kubebuilder:rbac marker and regenerates
config/rbac/role.yaml. The Helm chart already carries this permission.
Made-with: Cursor
Signed-off-by: Bobbins228 <mcampbel@redhat.com>
|
Good catch @r3v5 updated now and verified thanks for the review |
cwiklik
left a comment
cwiklik
left a comment
There was a problem hiding this comment.
Targeted RBAC fix for the kustomize install path. The AgentCardSync controller uses blockOwnerDeletion: true via SetControllerReference on both Deployments and StatefulSets, which requires update on the /finalizers subresource. The Helm chart already had these permissions; this PR aligns the kubebuilder markers and regenerated config/rbac/role.yaml to match.
Verified: Helm chart at charts/kagenti-operator/templates/rbac/role.yaml already carries both deployments/finalizers and statefulsets/finalizers — this brings kustomize into parity.
Areas reviewed: Go (RBAC markers), YAML (role.yaml), Security (RBAC scope)
Commits: 2 commits, all signed-off ✓
CI status: All 14 checks passing ✓
Clean, well-scoped fix. Good catch from @r3v5 on the StatefulSet gap.
3 participants
Problem
The
AgentCardSynccontroller setsblockOwnerDeletion: trueonownerReferenceentries forAgentCardobjects owned byDeploymentresources. Kubernetes requires that the acting service account holdupdatepermission on theapps/deployments/finalizerssubresource to do this — without it, the API server returns a hard denial on every create/update of theAgentCard.The
+kubebuilder:rbacmarkers inagentcardsync_controller.gocoveredapps/deployments(get, list, watch) but notapps/deployments/finalizers. As a result,controller-genomitted the rule fromconfig/rbac/role.yaml, leaving the kustomize-based install path non-functional on clusters with strict RBAC enforcement. TheAgentCardSyncreconciler would loop indefinitely, never producingAgentCardobjects.Solution
Added the missing
+kubebuilder:rbacmarker toagentcardsync_controller.goand regeneratedconfig/rbac/role.yamlviamake manifests.Files Changed
internal/controller/agentcardsync_controller.go— added+kubebuilder:rbac:groups=apps,resources=deployments/finalizers,verbs=updateconfig/rbac/role.yaml— regenerated; newdeployments/finalizers: updaterule addedMade with Cursor