Make Strimzi work with the OwnerReferencesPermissionEnforcement admission controller (#12030)

Signed-off-by: Jakub Scholz <www@scholzj.com>

Author: scholzj

cluster-operator/src/main/resources/cluster-roles/031-ClusterRole-strimzi-entity-operator.yaml

@@ -41,6 +41,14 @@ rules:
       - get
       - patch
       - update
+  - apiGroups:
+      - "kafka.strimzi.io"
+    resources:
+      # Needed for environments with enabled OwnerReferencesPermissionEnforcement admission controller (e.g. OpenShift)
+      - kafkatopics/finalizers
+      - kafkausers/finalizers
+    verbs:
+      - update
   - apiGroups:
       - ""
     resources:

cluster-operator/src/test/java/io/strimzi/operator/cluster/model/EntityOperatorTest.java

@@ -727,6 +727,11 @@ public void testRole() {
                 .addToVerbs("get", "patch", "update")
                 .addToApiGroups(Constants.RESOURCE_GROUP_NAME)
                 .build());
+        rules.add(new PolicyRuleBuilder()
+                .addToResources("kafkatopics/finalizers", "kafkausers/finalizers")
+                .addToVerbs("update")
+                .addToApiGroups(Constants.RESOURCE_GROUP_NAME)
+                .build());
         rules.add(new PolicyRuleBuilder()
                 .addToResources("secrets")
                 .addToVerbs("get", "list", "watch", "create", "delete", "patch", "update")

packaging/helm-charts/helm3/strimzi-kafka-operator/templates/023-ClusterRole-strimzi-cluster-operator-role.yaml

@@ -55,6 +55,19 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+    - "kafka.strimzi.io"
+  resources:
+    # Needed for environments with enabled OwnerReferencesPermissionEnforcement admission controller (e.g. OpenShift)
+    - kafkas/finalizers
+    - kafkanodepools/finalizers
+    - kafkaconnects/finalizers
+    - kafkaconnectors/finalizers
+    - kafkabridges/finalizers
+    - kafkamirrormaker2s/finalizers
+    - kafkarebalances/finalizers
+  verbs:
+    - update
 - apiGroups:
   - "core.strimzi.io"
   resources:
@@ -77,6 +90,13 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - "core.strimzi.io"
+  resources:
+  # Needed for environments with enabled OwnerReferencesPermissionEnforcement admission controller (e.g. OpenShift)
+  - strimzipodsets/finalizers
+  verbs:
+  - update
 - apiGroups:
     - "kafka.strimzi.io"
   resources:

packaging/helm-charts/helm3/strimzi-kafka-operator/templates/031-ClusterRole-strimzi-entity-operator.yaml

@@ -46,6 +46,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+    - "kafka.strimzi.io"
+  resources:
+    # Needed for environments with enabled OwnerReferencesPermissionEnforcement admission controller (e.g. OpenShift)
+    - kafkatopics/finalizers
+    - kafkausers/finalizers
+  verbs:
+    - update
 - apiGroups:
   - ""
   resources:

packaging/install/cluster-operator/023-ClusterRole-strimzi-cluster-operator-role.yaml

@@ -50,6 +50,19 @@ rules:
       - get
       - patch
       - update
+  - apiGroups:
+      - "kafka.strimzi.io"
+    resources:
+      # Needed for environments with enabled OwnerReferencesPermissionEnforcement admission controller (e.g. OpenShift)
+      - kafkas/finalizers
+      - kafkanodepools/finalizers
+      - kafkaconnects/finalizers
+      - kafkaconnectors/finalizers
+      - kafkabridges/finalizers
+      - kafkamirrormaker2s/finalizers
+      - kafkarebalances/finalizers
+    verbs:
+      - update
   - apiGroups:
       - "core.strimzi.io"
     resources:
@@ -72,6 +85,13 @@ rules:
       - get
       - patch
       - update
+  - apiGroups:
+      - "core.strimzi.io"
+    resources:
+      # Needed for environments with enabled OwnerReferencesPermissionEnforcement admission controller (e.g. OpenShift)
+      - strimzipodsets/finalizers
+    verbs:
+      - update
   - apiGroups:
       - "kafka.strimzi.io"
     resources:

packaging/install/cluster-operator/031-ClusterRole-strimzi-entity-operator.yaml

@@ -41,6 +41,14 @@ rules:
       - get
       - patch
       - update
+  - apiGroups:
+      - "kafka.strimzi.io"
+    resources:
+      # Needed for environments with enabled OwnerReferencesPermissionEnforcement admission controller (e.g. OpenShift)
+      - kafkatopics/finalizers
+      - kafkausers/finalizers
+    verbs:
+      - update
   - apiGroups:
       - ""
     resources:

packaging/install/topic-operator/02-Role-strimzi-topic-operator.yaml

@@ -25,3 +25,10 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+    # Needed for environments with enabled OwnerReferencesPermissionEnforcement admission controller (e.g. OpenShift)
+    - "kafka.strimzi.io"
+  resources:
+    - kafkatopics/finalizers
+  verbs:
+    - update

packaging/install/user-operator/02-Role-strimzi-user-operator.yaml

@@ -24,6 +24,13 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+    - "kafka.strimzi.io"
+  resources:
+    # Needed for environments with enabled OwnerReferencesPermissionEnforcement admission controller (e.g. OpenShift)
+    - kafkausers/finalizers
+  verbs:
+    - update
 - apiGroups:
   - ""
   resources: