From e2083ca2b9b7d19597d2cb09cb4752163063c531 Mon Sep 17 00:00:00 2001 From: Mulham Raee Date: Tue, 27 Aug 2024 17:38:47 +0200 Subject: [PATCH] re-add /finalizers subresource RBAC Update permissions on /finalizers subresrouce is required on managment clusters with 'OwnerReferencesPermissionEnforcement' plugin enabled. --- bootstrap/kubeadm/config/rbac/role.yaml | 1 + .../controllers/kubeadmconfig_controller.go | 2 +- config/rbac/role.yaml | 48 +++++++++++++++++++ .../clusterresourceset_controller.go | 2 +- .../controllers/machinepool_controller.go | 5 +- .../controllers/cluster/cluster_controller.go | 5 +- .../controllers/machine/machine_controller.go | 5 +- .../machinedeployment_controller.go | 5 +- .../machinehealthcheck_controller.go | 2 +- .../machineset/machineset_controller.go | 5 +- .../machinedeployment_controller.go | 2 +- .../machineset/machineset_controller.go | 2 +- .../docker/config/rbac/role.yaml | 3 ++ .../docker/exp/controllers/exp.go | 2 +- .../dockermachinepool_controller.go | 2 +- .../controllers/dockercluster_controller.go | 2 +- .../controllers/dockermachine_controller.go | 2 +- .../inmemory/config/rbac/role.yaml | 2 + .../controllers/inmemorycluster_controller.go | 2 +- .../controllers/inmemorymachine_controller.go | 2 +- 20 files changed, 85 insertions(+), 16 deletions(-) diff --git a/bootstrap/kubeadm/config/rbac/role.yaml b/bootstrap/kubeadm/config/rbac/role.yaml index 7e08acbef052..9a565ecca831 100644 --- a/bootstrap/kubeadm/config/rbac/role.yaml +++ b/bootstrap/kubeadm/config/rbac/role.yaml @@ -33,6 +33,7 @@ rules: - bootstrap.cluster.x-k8s.io resources: - kubeadmconfigs + - kubeadmconfigs/finalizers - kubeadmconfigs/status verbs: - create diff --git a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go index af698cad812f..926a00a0e44d 100644 --- a/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go +++ b/bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go @@ -74,7 +74,7 @@ type InitLocker interface { Unlock(ctx context.Context, cluster *clusterv1.Cluster) bool } -// +kubebuilder:rbac:groups=bootstrap.cluster.x-k8s.io,resources=kubeadmconfigs;kubeadmconfigs/status,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=bootstrap.cluster.x-k8s.io,resources=kubeadmconfigs;kubeadmconfigs/status;kubeadmconfigs/finalizers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;machinesets;machines;machines/status;machinepools;machinepools/status,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=secrets;configmaps,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 679552470711..8246715dd86b 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -27,6 +27,7 @@ rules: - apiGroups: - addons.cluster.x-k8s.io resources: + - clusterresourcesets/finalizers - clusterresourcesets/status verbs: - get @@ -108,6 +109,18 @@ rules: - get - list - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/finalizers + - clusters/status + verbs: + - get + - list + - patch + - update + - watch - apiGroups: - cluster.x-k8s.io resources: @@ -135,6 +148,18 @@ rules: - cluster.x-k8s.io resources: - machinedeployments + - machinedeployments/finalizers + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machinedeployments + - machinedeployments/finalizers - machinedeployments/status verbs: - create @@ -160,6 +185,7 @@ rules: - cluster.x-k8s.io resources: - machinehealthchecks + - machinehealthchecks/finalizers - machinehealthchecks/status verbs: - get @@ -183,6 +209,7 @@ rules: - cluster.x-k8s.io resources: - machinepools + - machinepools/finalizers - machinepools/status verbs: - create @@ -196,6 +223,7 @@ rules: - cluster.x-k8s.io resources: - machines + - machines/finalizers - machines/status verbs: - create @@ -205,10 +233,29 @@ rules: - patch - update - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machines + - machines/status + verbs: + - delete + - get + - list + - watch +- apiGroups: + - cluster.x-k8s.io + resources: + - machinesets + verbs: + - get + - list + - watch - apiGroups: - cluster.x-k8s.io resources: - machinesets + - machinesets/finalizers verbs: - get - list @@ -219,6 +266,7 @@ rules: - cluster.x-k8s.io resources: - machinesets + - machinesets/finalizers - machinesets/status verbs: - create diff --git a/exp/addons/internal/controllers/clusterresourceset_controller.go b/exp/addons/internal/controllers/clusterresourceset_controller.go index 9f5cac203335..a61d3687219b 100644 --- a/exp/addons/internal/controllers/clusterresourceset_controller.go +++ b/exp/addons/internal/controllers/clusterresourceset_controller.go @@ -56,7 +56,7 @@ var ErrSecretTypeNotSupported = errors.New("unsupported secret type") // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;patch // +kubebuilder:rbac:groups=core,resources=configmaps,verbs=get;list;watch;patch;update // +kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=clusterresourcesets/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=addons.cluster.x-k8s.io,resources=clusterresourcesets/status;clusterresourcesets/finalizers,verbs=get;update;patch // ClusterResourceSetReconciler reconciles a ClusterResourceSet object. type ClusterResourceSetReconciler struct { diff --git a/exp/internal/controllers/machinepool_controller.go b/exp/internal/controllers/machinepool_controller.go index aae6fa66885d..320f3b6280da 100644 --- a/exp/internal/controllers/machinepool_controller.go +++ b/exp/internal/controllers/machinepool_controller.go @@ -50,10 +50,13 @@ import ( "sigs.k8s.io/cluster-api/util/predicates" ) +// Update permissions on /finalizers subresrouce is required on management clusters with 'OwnerReferencesPermissionEnforcement' plugin enabled. +// See: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement +// // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status;machinepools/finalizers,verbs=get;list;watch;create;update;patch;delete var ( // machinePoolKind contains the schema.GroupVersionKind for the MachinePool type. diff --git a/internal/controllers/cluster/cluster_controller.go b/internal/controllers/cluster/cluster_controller.go index 452cfe9c0521..a6308084376c 100644 --- a/internal/controllers/cluster/cluster_controller.go +++ b/internal/controllers/cluster/cluster_controller.go @@ -58,10 +58,13 @@ const ( deleteRequeueAfter = 5 * time.Second ) +// Update permissions on /finalizers subresrouce is required on management clusters with 'OwnerReferencesPermissionEnforcement' plugin enabled. +// See: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement +// // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;patch;update // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io;controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status;clusters/finalizers,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch // Reconciler reconciles a Cluster object. diff --git a/internal/controllers/machine/machine_controller.go b/internal/controllers/machine/machine_controller.go index 31aa7726a868..2df9172976eb 100644 --- a/internal/controllers/machine/machine_controller.go +++ b/internal/controllers/machine/machine_controller.go @@ -65,10 +65,13 @@ var ( errControlPlaneIsBeingDeleted = errors.New("control plane is being deleted") ) +// Update permissions on /finalizers subresrouce is required on management clusters with 'OwnerReferencesPermissionEnforcement' plugin enabled. +// See: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement +// // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status;machines/finalizers,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch // Reconciler reconciles a Machine object. diff --git a/internal/controllers/machinedeployment/machinedeployment_controller.go b/internal/controllers/machinedeployment/machinedeployment_controller.go index 99629642da81..089f42e192ef 100644 --- a/internal/controllers/machinedeployment/machinedeployment_controller.go +++ b/internal/controllers/machinedeployment/machinedeployment_controller.go @@ -55,10 +55,13 @@ var ( // in the MachineDeployment controller. const machineDeploymentManagerName = "capi-machinedeployment" +// Update permissions on /finalizers subresrouce is required on management clusters with 'OwnerReferencesPermissionEnforcement' plugin enabled. +// See: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement +// // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments;machinedeployments/status,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments;machinedeployments/status;machinedeployments/finalizers,verbs=get;list;watch;create;update;patch;delete // Reconciler reconciles a MachineDeployment object. type Reconciler struct { diff --git a/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go b/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go index 0065a969f560..ff3c4ea7c41c 100644 --- a/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go +++ b/internal/controllers/machinehealthcheck/machinehealthcheck_controller.go @@ -70,7 +70,7 @@ const ( // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines;machines/status,verbs=get;list;watch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinehealthchecks;machinehealthchecks/status,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinehealthchecks;machinehealthchecks/status;machinehealthchecks/finalizers,verbs=get;list;watch;update;patch // Reconciler reconciles a MachineHealthCheck object. type Reconciler struct { diff --git a/internal/controllers/machineset/machineset_controller.go b/internal/controllers/machineset/machineset_controller.go index c4d618e9a0e1..b4e2cc149c85 100644 --- a/internal/controllers/machineset/machineset_controller.go +++ b/internal/controllers/machineset/machineset_controller.go @@ -75,10 +75,13 @@ var ( const machineSetManagerName = "capi-machineset" +// Update permissions on /finalizers subresrouce is required on management clusters with 'OwnerReferencesPermissionEnforcement' plugin enabled. +// See: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement +// // +kubebuilder:rbac:groups=core,resources=events,verbs=create;patch // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets;machinesets/status,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets;machinesets/status;machinesets/finalizers,verbs=get;list;watch;create;update;patch;delete // Reconciler reconciles a MachineSet object. type Reconciler struct { diff --git a/internal/controllers/topology/machinedeployment/machinedeployment_controller.go b/internal/controllers/topology/machinedeployment/machinedeployment_controller.go index ad4046f0c214..ad821dda1ab6 100644 --- a/internal/controllers/topology/machinedeployment/machinedeployment_controller.go +++ b/internal/controllers/topology/machinedeployment/machinedeployment_controller.go @@ -43,7 +43,7 @@ import ( // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments;machinedeployments/finalizers,verbs=get;list;watch;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets,verbs=get;list;watch // Reconciler deletes referenced templates during deletion of topology-owned MachineDeployments. diff --git a/internal/controllers/topology/machineset/machineset_controller.go b/internal/controllers/topology/machineset/machineset_controller.go index ad5de014c898..6ce4daad152c 100644 --- a/internal/controllers/topology/machineset/machineset_controller.go +++ b/internal/controllers/topology/machineset/machineset_controller.go @@ -46,7 +46,7 @@ import ( // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io;bootstrap.cluster.x-k8s.io,resources=*,verbs=delete // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments,verbs=get;list;watch -// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinesets;machinesets/finalizers,verbs=get;list;watch;update;patch // Reconciler deletes referenced templates during deletion of topology-owned MachineSets. // The templates are only deleted, if they are not used in other MachineDeployments or MachineSets which are not in deleting state, diff --git a/test/infrastructure/docker/config/rbac/role.yaml b/test/infrastructure/docker/config/rbac/role.yaml index 83f9ac77eb40..546705e9a9f6 100644 --- a/test/infrastructure/docker/config/rbac/role.yaml +++ b/test/infrastructure/docker/config/rbac/role.yaml @@ -75,6 +75,7 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: + - dockerclusters/finalizers - dockerclusters/status verbs: - get @@ -95,6 +96,7 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: + - dockermachinepools/finalizers - dockermachinepools/status verbs: - get @@ -115,6 +117,7 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: + - dockermachines/finalizers - dockermachines/status verbs: - get diff --git a/test/infrastructure/docker/exp/controllers/exp.go b/test/infrastructure/docker/exp/controllers/exp.go index 24ff85dc4fb1..47b39adb2ce2 100644 --- a/test/infrastructure/docker/exp/controllers/exp.go +++ b/test/infrastructure/docker/exp/controllers/exp.go @@ -19,5 +19,5 @@ package controllers // This file adds RBAC permissions to the Docker Infrastructure manager to operate on objects in the experimental API group. // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools/status;dockermachinepools/finalizers,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch diff --git a/test/infrastructure/docker/exp/internal/controllers/dockermachinepool_controller.go b/test/infrastructure/docker/exp/internal/controllers/dockermachinepool_controller.go index df4cb34f141c..205e1f2f3483 100644 --- a/test/infrastructure/docker/exp/internal/controllers/dockermachinepool_controller.go +++ b/test/infrastructure/docker/exp/internal/controllers/dockermachinepool_controller.go @@ -78,7 +78,7 @@ type DockerMachinePoolReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachinepools/status;dockermachinepools/finalizers,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinepools;machinepools/status,verbs=get;list;watch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machines,verbs=get;list;watch;delete // +kubebuilder:rbac:groups="",resources=secrets;,verbs=get;list;watch diff --git a/test/infrastructure/docker/internal/controllers/dockercluster_controller.go b/test/infrastructure/docker/internal/controllers/dockercluster_controller.go index 091401f6d097..a701040f9227 100644 --- a/test/infrastructure/docker/internal/controllers/dockercluster_controller.go +++ b/test/infrastructure/docker/internal/controllers/dockercluster_controller.go @@ -50,7 +50,7 @@ type DockerClusterReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockerclusters,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockerclusters/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockerclusters/status;dockerclusters/finalizers,verbs=get;update;patch // Reconcile reads that state of the cluster for a DockerCluster object and makes changes based on the state read // and what is in the DockerCluster.Spec. diff --git a/test/infrastructure/docker/internal/controllers/dockermachine_controller.go b/test/infrastructure/docker/internal/controllers/dockermachine_controller.go index eb075a63104d..e9b987bc8ea2 100644 --- a/test/infrastructure/docker/internal/controllers/dockermachine_controller.go +++ b/test/infrastructure/docker/internal/controllers/dockermachine_controller.go @@ -63,7 +63,7 @@ type DockerMachineReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachines,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachines/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=dockermachines/status;dockermachines/finalizers,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;machinesets;machines,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=secrets;,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch diff --git a/test/infrastructure/inmemory/config/rbac/role.yaml b/test/infrastructure/inmemory/config/rbac/role.yaml index e344a927db52..91e3482a64e9 100644 --- a/test/infrastructure/inmemory/config/rbac/role.yaml +++ b/test/infrastructure/inmemory/config/rbac/role.yaml @@ -57,6 +57,7 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: + - inmemoryclusters/finalizers - inmemoryclusters/status verbs: - get @@ -77,6 +78,7 @@ rules: - apiGroups: - infrastructure.cluster.x-k8s.io resources: + - inmemorymachines/finalizers - inmemorymachines/status verbs: - get diff --git a/test/infrastructure/inmemory/internal/controllers/inmemorycluster_controller.go b/test/infrastructure/inmemory/internal/controllers/inmemorycluster_controller.go index 22751838d1e3..96392a543e53 100644 --- a/test/infrastructure/inmemory/internal/controllers/inmemorycluster_controller.go +++ b/test/infrastructure/inmemory/internal/controllers/inmemorycluster_controller.go @@ -55,7 +55,7 @@ type InMemoryClusterReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemoryclusters,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemoryclusters/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemoryclusters/status;inmemoryclusters/finalizers,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters,verbs=get;list;watch // Reconcile reads that state of the cluster for a InMemoryCluster object and makes changes based on the state read diff --git a/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go b/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go index 04c97f88d22f..51666e0d8193 100644 --- a/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go +++ b/test/infrastructure/inmemory/internal/controllers/inmemorymachine_controller.go @@ -68,7 +68,7 @@ type InMemoryMachineReconciler struct { } // +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemorymachines,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemorymachines/status,verbs=get;update;patch +// +kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=inmemorymachines/status;inmemorymachines/finalizers,verbs=get;update;patch // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;machinesets;machines,verbs=get;list;watch // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch