fix permission for cleanupSubscription on OLM installation (#704)

freeznet · web-flow · commit bee039c71d65 · 2023-10-24T22:39:16.000+08:00
* fix permission for cleanup on OLM installation

* address child pods are preserved by default when jobs are deleted warning

* address getBackgroundDeletionPolicy() to all controllers
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -163,6 +163,30 @@ rules:
   - get
   - list
   - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
diff --git a/controllers/common.go b/controllers/common.go
@@ -336,3 +336,11 @@ func ConvertHPAV2ToV2beta2(hpa *autov2.HorizontalPodAutoscaler) *autoscalingv2be
 
 	return result
 }
+
+func getBackgroundDeletionPolicy() client.DeleteOption {
+	backgroundDeletion := metav1.DeletePropagationBackground
+	var deleteOptions client.DeleteOption = &client.DeleteOptions{
+		PropagationPolicy: &backgroundDeletion,
+	}
+	return deleteOptions
+}
diff --git a/controllers/function.go b/controllers/function.go
@@ -336,7 +336,7 @@ func (r *FunctionReconciler) ApplyFunctionVPA(ctx context.Context, function *v1a
 func (r *FunctionReconciler) ApplyFunctionCleanUpJob(ctx context.Context, function *v1alpha1.Function) error {
 	if !spec.NeedCleanup(function) {
 		desiredJob := spec.MakeFunctionCleanUpJob(function)
-		if err := r.Delete(ctx, desiredJob); err != nil {
+		if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {
 			if errors.IsNotFound(err) {
 				return nil
 			}
@@ -380,7 +380,7 @@ func (r *FunctionReconciler) ApplyFunctionCleanUpJob(ctx context.Context, functi
 				}
 			} else {
 				// delete the cleanup job
-				if err := r.Delete(ctx, desiredJob); err != nil {
+				if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {
 					return err
 				}
 			}
@@ -395,10 +395,9 @@ func (r *FunctionReconciler) ApplyFunctionCleanUpJob(ctx context.Context, functi
 
 			desiredJob := spec.MakeFunctionCleanUpJob(function)
 			// delete the cleanup job
-			if err := r.Delete(ctx, desiredJob); err != nil {
+			if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {
 				return err
 			}
-
 		}
 	}
 	return nil
diff --git a/controllers/function_controller.go b/controllers/function_controller.go
@@ -59,6 +59,8 @@ type FunctionReconciler struct {
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=pods/exec,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=autoscaling.k8s.io,resources=verticalpodautoscalers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update;delete
diff --git a/controllers/sink.go b/controllers/sink.go
@@ -332,7 +332,7 @@ func (r *SinkReconciler) ApplySinkVPA(ctx context.Context, sink *v1alpha1.Sink)
 func (r *SinkReconciler) ApplySinkCleanUpJob(ctx context.Context, sink *v1alpha1.Sink) error {
 	if !spec.NeedCleanup(sink) {
 		desiredJob := spec.MakeSinkCleanUpJob(sink)
-		if err := r.Delete(ctx, desiredJob); err != nil {
+		if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {
 			if errors.IsNotFound(err) {
 				return nil
 			}
@@ -376,7 +376,7 @@ func (r *SinkReconciler) ApplySinkCleanUpJob(ctx context.Context, sink *v1alpha1
 				}
 			} else {
 				// delete the cleanup job
-				if err := r.Delete(ctx, desiredJob); err != nil {
+				if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {
 					return err
 				}
 			}
@@ -391,7 +391,7 @@ func (r *SinkReconciler) ApplySinkCleanUpJob(ctx context.Context, sink *v1alpha1
 
 			desiredJob := spec.MakeSinkCleanUpJob(sink)
 			// delete the cleanup job
-			if err := r.Delete(ctx, desiredJob); err != nil {
+			if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {
 				return err
 			}
 
diff --git a/controllers/sink_controller.go b/controllers/sink_controller.go
@@ -58,6 +58,9 @@ type SinkReconciler struct {
 // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=pods/exec,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=autoscaling.k8s.io,resources=verticalpodautoscalers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update;delete
diff --git a/controllers/source.go b/controllers/source.go
@@ -334,7 +334,7 @@ func (r *SourceReconciler) ApplySourceVPA(ctx context.Context, source *v1alpha1.
 func (r *SourceReconciler) ApplySourceCleanUpJob(ctx context.Context, source *v1alpha1.Source) error {
 	if !spec.NeedCleanup(source) {
 		desiredJob := spec.MakeSourceCleanUpJob(source)
-		if err := r.Delete(ctx, desiredJob); err != nil {
+		if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {
 			if errors.IsNotFound(err) {
 				return nil
 			}
@@ -378,7 +378,7 @@ func (r *SourceReconciler) ApplySourceCleanUpJob(ctx context.Context, source *v1
 				}
 			} else {
 				// delete the cleanup job
-				if err := r.Delete(ctx, desiredJob); err != nil {
+				if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {
 					return err
 				}
 			}
@@ -393,7 +393,7 @@ func (r *SourceReconciler) ApplySourceCleanUpJob(ctx context.Context, source *v1
 
 			desiredJob := spec.MakeSourceCleanUpJob(source)
 			// delete the cleanup job
-			if err := r.Delete(ctx, desiredJob); err != nil {
+			if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {
 				return err
 			}
 
diff --git a/controllers/source_controller.go b/controllers/source_controller.go
@@ -57,6 +57,9 @@ type SourceReconciler struct {
 // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups=core,resources=services,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=core,resources=pods/exec,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=autoscaling.k8s.io,resources=verticalpodautoscalers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;create;update;delete

Original file line number	Diff line number	Diff line change
`@@ -336,7 +336,7 @@ func (r FunctionReconciler) ApplyFunctionVPA(ctx context.Context, function v1a`
`336`	`336`	`func (r FunctionReconciler) ApplyFunctionCleanUpJob(ctx context.Context, function v1alpha1.Function) error {`
`337`	`337`	`if !spec.NeedCleanup(function) {`
`338`	`338`	`desiredJob := spec.MakeFunctionCleanUpJob(function)`
`339`		`- if err := r.Delete(ctx, desiredJob); err != nil {`
	`339`	`+ if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {`
`340`	`340`	`if errors.IsNotFound(err) {`
`341`	`341`	`return nil`
`342`	`342`	`}`
`@@ -380,7 +380,7 @@ func (r *FunctionReconciler) ApplyFunctionCleanUpJob(ctx context.Context, functi`
`380`	`380`	`}`
`381`	`381`	`} else {`
`382`	`382`	`// delete the cleanup job`
`383`		`- if err := r.Delete(ctx, desiredJob); err != nil {`
	`383`	`+ if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {`
`384`	`384`	`return err`
`385`	`385`	`}`
`386`	`386`	`}`
`@@ -395,10 +395,9 @@ func (r *FunctionReconciler) ApplyFunctionCleanUpJob(ctx context.Context, functi`
`395`	`395`
`396`	`396`	`desiredJob := spec.MakeFunctionCleanUpJob(function)`
`397`	`397`	`// delete the cleanup job`
`398`		`- if err := r.Delete(ctx, desiredJob); err != nil {`
	`398`	`+ if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {`
`399`	`399`	`return err`
`400`	`400`	`}`
`401`		`-`
`402`	`401`	`}`
`403`	`402`	`}`
`404`	`403`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -332,7 +332,7 @@ func (r SinkReconciler) ApplySinkVPA(ctx context.Context, sink v1alpha1.Sink)`
`332`	`332`	`func (r SinkReconciler) ApplySinkCleanUpJob(ctx context.Context, sink v1alpha1.Sink) error {`
`333`	`333`	`if !spec.NeedCleanup(sink) {`
`334`	`334`	`desiredJob := spec.MakeSinkCleanUpJob(sink)`
`335`		`- if err := r.Delete(ctx, desiredJob); err != nil {`
	`335`	`+ if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {`
`336`	`336`	`if errors.IsNotFound(err) {`
`337`	`337`	`return nil`
`338`	`338`	`}`
`@@ -376,7 +376,7 @@ func (r SinkReconciler) ApplySinkCleanUpJob(ctx context.Context, sink v1alpha1`
`376`	`376`	`}`
`377`	`377`	`} else {`
`378`	`378`	`// delete the cleanup job`
`379`		`- if err := r.Delete(ctx, desiredJob); err != nil {`
	`379`	`+ if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {`
`380`	`380`	`return err`
`381`	`381`	`}`
`382`	`382`	`}`
`@@ -391,7 +391,7 @@ func (r SinkReconciler) ApplySinkCleanUpJob(ctx context.Context, sink v1alpha1`
`391`	`391`
`392`	`392`	`desiredJob := spec.MakeSinkCleanUpJob(sink)`
`393`	`393`	`// delete the cleanup job`
`394`		`- if err := r.Delete(ctx, desiredJob); err != nil {`
	`394`	`+ if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {`
`395`	`395`	`return err`
`396`	`396`	`}`
`397`	`397`
Original file line number	Diff line number	Diff line change
`@@ -334,7 +334,7 @@ func (r SourceReconciler) ApplySourceVPA(ctx context.Context, source v1alpha1.`
`334`	`334`	`func (r SourceReconciler) ApplySourceCleanUpJob(ctx context.Context, source v1alpha1.Source) error {`
`335`	`335`	`if !spec.NeedCleanup(source) {`
`336`	`336`	`desiredJob := spec.MakeSourceCleanUpJob(source)`
`337`		`- if err := r.Delete(ctx, desiredJob); err != nil {`
	`337`	`+ if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {`
`338`	`338`	`if errors.IsNotFound(err) {`
`339`	`339`	`return nil`
`340`	`340`	`}`
`@@ -378,7 +378,7 @@ func (r SourceReconciler) ApplySourceCleanUpJob(ctx context.Context, source v1`
`378`	`378`	`}`
`379`	`379`	`} else {`
`380`	`380`	`// delete the cleanup job`
`381`		`- if err := r.Delete(ctx, desiredJob); err != nil {`
	`381`	`+ if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {`
`382`	`382`	`return err`
`383`	`383`	`}`
`384`	`384`	`}`
`@@ -393,7 +393,7 @@ func (r SourceReconciler) ApplySourceCleanUpJob(ctx context.Context, source v1`
`393`	`393`
`394`	`394`	`desiredJob := spec.MakeSourceCleanUpJob(source)`
`395`	`395`	`// delete the cleanup job`
`396`		`- if err := r.Delete(ctx, desiredJob); err != nil {`
	`396`	`+ if err := r.Delete(ctx, desiredJob, getBackgroundDeletionPolicy()); err != nil {`
`397`	`397`	`return err`
`398`	`398`	`}`
`399`	`399`