Add finalizers permissions for OwnerReferencesPermissionEnforcement

odigos-io · Jan 29, 2025 · 315984b · 315984b
1 parent 2b06fc1
commit 315984b
Show file tree

Hide file tree

Showing 11 changed files with 105 additions and 18 deletions.
diff --git a/cli/cmd/resources/autoscaler.go b/cli/cmd/resources/autoscaler.go
@@ -171,6 +171,16 @@ func NewAutoscalerClusterRole() *rbacv1.ClusterRole {
 					"watch",
 				},
 			},
+			{
+				// Required for OwnerReferencesPermissionEnforcement (on by default in OpenShift)
+				// When we create a collector COnfigMap, we set the OwnerReference to the collectorsgroups.
+				// Controller-runtime sets BlockDeletion: true. So with this Admission Plugin we need permission to
+				// update finalizers on the collectorsgroup so that they can block deletion.
+				// seehttps://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+				APIGroups: []string{"odigos.io"},
+				Resources: []string{"collectorsgroups/finalizers"},
+				Verbs:     []string{"update"},
+			},
 		},
 	}
 }

diff --git a/cli/cmd/resources/instrumentor.go b/cli/cmd/resources/instrumentor.go
@@ -158,6 +158,21 @@ func NewInstrumentorClusterRole() *rbacv1.ClusterRole {
 				Resources: []string{"statefulsets"},
 				Verbs:     []string{"get", "list", "watch", "update", "patch"},
 			},
+			{
+				// Required for OwnerReferencesPermissionEnforcement (on by default in OpenShift)
+				// When we create an InstrumentationConfig, we set the OwnerReference to the related workload.
+				// Controller-runtime sets BlockDeletion: true. So with this Admission Plugin we need permission to
+				// update finalizers on the workloads so that they can block deletion.
+				// seehttps://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+				APIGroups: []string{"apps"},
+				Resources: []string{"statefulsets/finalizers", "daemonsets/finalizers", "deployments/finalizers"},
+				Verbs:     []string{"update"},
+			},
+			{
+				APIGroups: []string{"operator.odigos.io"},
+				Resources: []string{"odigos/finalizers"},
+				Verbs:     []string{"update"},
+			},
 			{ // React to runtime detection in user workloads in all namespaces
 				APIGroups: []string{"odigos.io"},
 				Resources: []string{"instrumentedapplications"},

diff --git a/cli/cmd/resources/odiglet.go b/cli/cmd/resources/odiglet.go
@@ -122,6 +122,16 @@ func NewOdigletClusterRole(psp bool) *rbacv1.ClusterRole {
 				Resources: []string{"deployments/status", "daemonsets/status", "statefulsets/status"},
 				Verbs:     []string{"get"},
 			},
+			{
+				// Required for OwnerReferencesPermissionEnforcement (on by default in OpenShift)
+				// When we create an InstrumentationInstance, we set the OwnerReference to the related workload.
+				// Controller-runtime sets BlockDeletion: true. So with this Admission Plugin we need permission to
+				// update finalizers on the workloads so that they can block deletion.
+				// seehttps://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+				APIGroups: []string{"apps"},
+				Resources: []string{"deployments/finalizers", "daemonsets/finalizers", "statefulsets/finalizers"},
+				Verbs:     []string{"update"},
+			},
 			{ // Needed for virtual device registration
 				APIGroups: []string{""},
 				Resources: []string{"nodes"},

diff --git a/helm/odigos/templates/autoscaler/clusterrole.yaml b/helm/odigos/templates/autoscaler/clusterrole.yaml
@@ -19,3 +19,11 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - odigos.io
+    resources:
+      - collectorsgroups/finalizers
+    verbs:
+      - get
+      - patch
+      - update
diff --git a/helm/odigos/templates/instrumentor/clusterrole.yaml b/helm/odigos/templates/instrumentor/clusterrole.yaml
@@ -49,6 +49,20 @@ rules:
       - watch
       - update
       - patch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets/finalizers
+      - deployments/finalizers
+      - daemonsets/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - operator.odigos.io
+    resources:
+      - odigos/finalizers
+    verbs:
+      - update
   - apiGroups:
       - odigos.io
     resources:

diff --git a/helm/odigos/templates/odiglet/clusterrole.yaml b/helm/odigos/templates/odiglet/clusterrole.yaml
@@ -35,6 +35,14 @@ rules:
       - statefulsets/status
     verbs:
       - get
+  - apiGroups:
+      - apps
+    resources:
+      - deployments/finalizers
+      - daemonsets/finalizers
+      - statefulsets/finalizers
+    verbs:
+      - update
   - apiGroups:
       - ''
     resources:

diff --git a/operator/Makefile b/operator/Makefile
@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.0.144
+VERSION ?= 1.0.145
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")

diff --git a/operator/bundle/manifests/odigos-operator.clusterserviceversion.yaml b/operator/bundle/manifests/odigos-operator.clusterserviceversion.yaml
@@ -20,7 +20,7 @@ metadata:
     capabilities: Basic Install
     categories: Logging & Tracing
     containerImage: docker.io/keyval/odigos-operator:v1.0.144
-    createdAt: "2025-01-29T15:55:13Z"
+    createdAt: "2025-01-29T17:15:13Z"
     description: Odigos enables automatic distributed tracing with OpenTelemetry and
       eBPF.
     features.operators.openshift.io/disconnected: "false"
@@ -35,7 +35,7 @@ metadata:
     operators.operatorframework.io/builder: operator-sdk-v1.39.1
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
     support: Odigos
-  name: odigos-operator.v1.0.144
+  name: odigos-operator.v1.0.145
   namespace: odigos-operator-system
 spec:
   apiservicedefinitions: {}
@@ -213,6 +213,15 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - apps
+          resources:
+          - daemonsets/finalizers
+          - deployments/finalizers
+          - replicasets/finalizers
+          - statefulsets/finalizers
+          verbs:
+          - update
         - apiGroups:
           - apps
           resources:
@@ -260,6 +269,13 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - odigos.io
+          resources:
+          - collectorsgroups/finalizers
+          - sources/finalizers
+          verbs:
+          - update
         - apiGroups:
           - odigos.io
           resources:
@@ -297,12 +313,6 @@ spec:
           - get
           - list
           - watch
-        - apiGroups:
-          - odigos.io
-          resources:
-          - sources/finalizers
-          verbs:
-          - update
         - apiGroups:
           - operator.odigos.io
           resources:
@@ -395,7 +405,7 @@ spec:
                     fieldRef:
                       apiVersion: v1
                       fieldPath: metadata.namespace
-                image: keyval/odigos-operator:1.0.144
+                image: keyval/odigos-operator:1.0.145
                 livenessProbe:
                   httpGet:
                     path: /healthz
@@ -490,4 +500,4 @@ spec:
   provider:
     name: Odigos
     url: https://odigos.io
-  version: 1.0.144
+  version: 1.0.145
diff --git a/operator/config/manager/kustomization.yaml b/operator/config/manager/kustomization.yaml
@@ -5,4 +5,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: keyval/odigos-operator
-  newTag: 1.0.144
+  newTag: 1.0.145
diff --git a/operator/config/rbac/role.yaml b/operator/config/rbac/role.yaml
@@ -151,6 +151,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets/finalizers
+  - deployments/finalizers
+  - replicasets/finalizers
+  - statefulsets/finalizers
+  verbs:
+  - update
 - apiGroups:
   - apps
   resources:
@@ -198,6 +207,13 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - odigos.io
+  resources:
+  - collectorsgroups/finalizers
+  - sources/finalizers
+  verbs:
+  - update
 - apiGroups:
   - odigos.io
   resources:
@@ -235,12 +251,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - odigos.io
-  resources:
-  - sources/finalizers
-  verbs:
-  - update
 - apiGroups:
   - operator.odigos.io
   resources:

diff --git a/operator/internal/controller/odigos_controller.go b/operator/internal/controller/odigos_controller.go
@@ -52,6 +52,7 @@ type OdigosReconciler struct {
 // +kubebuilder:rbac:groups=actions.odigos.io,resources=*/status,verbs=get;patch;update
 // +kubebuilder:rbac:groups=odigos.io,resources=collectorsgroups,verbs=get;list;watch;create;patch;update;delete
 // +kubebuilder:rbac:groups=odigos.io,resources=collectorsgroups/status,verbs=get;list;watch;patch;update
+// +kubebuilder:rbac:groups=odigos.io,resources=collectorsgroups/finalizers,verbs=update
 // +kubebuilder:rbac:groups=odigos.io,resources=destinations,verbs=get;list;watch;create;patch;update;delete
 // +kubebuilder:rbac:groups=odigos.io,resources=destinations/status,verbs=get;patch;update
 // +kubebuilder:rbac:groups=odigos.io,resources=instrumentationrules,verbs=get;list;watch;patch;delete;create;update
@@ -76,6 +77,7 @@ type OdigosReconciler struct {
 // +kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;get;patch
 // +kubebuilder:rbac:groups=apps,resources=deployments;replicasets;daemonsets;statefulsets,verbs=get;list;watch;create;update;patch;delete;deletecollection
+// +kubebuilder:rbac:groups=apps,resources=deployments/finalizers;replicasets/finalizers;daemonsets/finalizers;statefulsets/finalizers,verbs=update
 // +kubebuilder:rbac:groups=apps,resources=deployments/status;daemonsets/status;statefulsets/status,verbs=get
 // +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=security.openshift.io,resources=securitycontextconstraints,verbs=use