Enable manager role to modify operator finalizers

This permission was missing and was causing issues when deploying the Gatekeeper resource as the manager couldn't set the onwer references to other objects. Closes #88
gatekeeper · Dec 18, 2020 · 03cb149 · 03cb149
1 parent 5d0c60c
commit 03cb149
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/config/rbac/base/role.yaml b/config/rbac/base/role.yaml
@@ -82,6 +82,15 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - operator.gatekeeper.sh
+  resources:
+  - gatekeepers/finalizers
+  verbs:
+  - delete
+  - get
+  - patch
+  - update
 - apiGroups:
   - operator.gatekeeper.sh
   resources:

diff --git a/controllers/gatekeeper_controller.go b/controllers/gatekeeper_controller.go
@@ -97,6 +97,7 @@ type GatekeeperReconciler struct {
 // Gatekeeper Operator RBAC permissions to manager Gatekeeper custom resource
 // +kubebuilder:rbac:groups=operator.gatekeeper.sh,resources=gatekeepers,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=operator.gatekeeper.sh,resources=gatekeepers/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=operator.gatekeeper.sh,resources=gatekeepers/finalizers,verbs=delete;get;update;patch
 
 // Gatekeeper Operator RBAC permissions to deploy Gatekeeper. Many of these
 // RBAC permissions are needed because the operator must have the permissions