preflight permissions: removing clusterextensions/finalizer patch requirement

joelanford · joelanford · commit 7369824d2a8d · 2025-04-11T21:06:15.000-04:00
The clusterextensions/finalizer requirement comes from the desire to support clusters where OwnerReferencesPermissionEnforcement plugin is enabled. This plugin requires "update", but not "patch" for the clusterextensions/finalizers permission. See: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
diff --git a/internal/operator-controller/authorization/rbac.go b/internal/operator-controller/authorization/rbac.go
@@ -364,7 +364,7 @@ func (dm *decodedManifest) asAuthorizationAttributesRecordsForUser(manifestManag
 			})
 		}
 
-		for _, verb := range []string{"update", "patch"} {
+		for _, verb := range []string{"update"} {
 			attributeRecords = append(attributeRecords, authorizer.AttributesRecord{
 				User:            manifestManager,
 				Name:            ext.Name,

Original file line number	Diff line number	Diff line change
`@@ -364,7 +364,7 @@ func (dm *decodedManifest) asAuthorizationAttributesRecordsForUser(manifestManag`
`364`	`364`	`})`
`365`	`365`	`}`
`366`	`366`
`367`		`- for _, verb := range []string{"update", "patch"} {`
	`367`	`+ for _, verb := range []string{"update"} {`
`368`	`368`	`attributeRecords = append(attributeRecords, authorizer.AttributesRecord{`
`369`	`369`	`User: manifestManager,`
`370`	`370`	`Name: ext.Name,`