From 9f2c89ba7586953144cdcd9a8e0ea85f256b2d14 Mon Sep 17 00:00:00 2001 From: Bobbins228 Date: Mon, 23 Mar 2026 10:22:08 +0000 Subject: [PATCH 1/2] fix: add deployments/finalizers RBAC marker for AgentCardSync controller Kubernetes requires update permission on apps/deployments/finalizers when blockOwnerDeletion=true is set on ownerReferences. The +kubebuilder:rbac marker was missing from agentcardsync_controller.go, causing controller-gen to omit the rule from config/rbac/role.yaml. This caused a hard RBAC denial on every reconcile loop on HyperShift/ROSA clusters. Fixes RHAIENG-3819 Assisted-By: Claude Made-with: Cursor Signed-off-by: Bobbins228 --- kagenti-operator/config/rbac/role.yaml | 6 ++++++ .../internal/controller/agentcardsync_controller.go | 1 + 2 files changed, 7 insertions(+) diff --git a/kagenti-operator/config/rbac/role.yaml b/kagenti-operator/config/rbac/role.yaml index 816fce8..3c5989c 100644 --- a/kagenti-operator/config/rbac/role.yaml +++ b/kagenti-operator/config/rbac/role.yaml @@ -70,6 +70,12 @@ rules: - patch - update - watch +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - update - apiGroups: - networking.k8s.io resources: diff --git a/kagenti-operator/internal/controller/agentcardsync_controller.go b/kagenti-operator/internal/controller/agentcardsync_controller.go index 70c1722..6cc081c 100644 --- a/kagenti-operator/internal/controller/agentcardsync_controller.go +++ b/kagenti-operator/internal/controller/agentcardsync_controller.go @@ -52,6 +52,7 @@ type AgentCardSyncReconciler struct { // +kubebuilder:rbac:groups=agent.kagenti.dev,resources=agentcards,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch +// +kubebuilder:rbac:groups=apps,resources=deployments/finalizers,verbs=update // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch func (r *AgentCardSyncReconciler) ReconcileDeployment(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { From 3d39b11d28955ba82dc745c52ed58b7c5d09cc47 Mon Sep 17 00:00:00 2001 From: Bobbins228 Date: Mon, 23 Mar 2026 12:40:54 +0000 Subject: [PATCH 2/2] fix: add statefulsets/finalizers RBAC marker for AgentCardSync controller MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The AgentCardSync controller reconciles both Deployments and StatefulSets, calling controllerutil.SetControllerReference (blockOwnerDeletion: true) for both. Kubernetes requires statefulsets/finalizers:update to set blockOwnerDeletion on a StatefulSet owner — enforced as a hard denial on HyperShift/ROSA. Adds the missing +kubebuilder:rbac marker and regenerates config/rbac/role.yaml. The Helm chart already carries this permission. Made-with: Cursor Signed-off-by: Bobbins228 --- kagenti-operator/config/rbac/role.yaml | 1 + kagenti-operator/internal/controller/agentcardsync_controller.go | 1 + 2 files changed, 2 insertions(+) diff --git a/kagenti-operator/config/rbac/role.yaml b/kagenti-operator/config/rbac/role.yaml index 3c5989c..6e0aaf1 100644 --- a/kagenti-operator/config/rbac/role.yaml +++ b/kagenti-operator/config/rbac/role.yaml @@ -74,6 +74,7 @@ rules: - apps resources: - deployments/finalizers + - statefulsets/finalizers verbs: - update - apiGroups: diff --git a/kagenti-operator/internal/controller/agentcardsync_controller.go b/kagenti-operator/internal/controller/agentcardsync_controller.go index 6cc081c..4de8231 100644 --- a/kagenti-operator/internal/controller/agentcardsync_controller.go +++ b/kagenti-operator/internal/controller/agentcardsync_controller.go @@ -54,6 +54,7 @@ type AgentCardSyncReconciler struct { // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch // +kubebuilder:rbac:groups=apps,resources=deployments/finalizers,verbs=update // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch +// +kubebuilder:rbac:groups=apps,resources=statefulsets/finalizers,verbs=update func (r *AgentCardSyncReconciler) ReconcileDeployment(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { syncLogger.V(1).Info("Reconciling Deployment for auto-sync", "namespacedName", req.NamespacedName)