From cce3d1c74b7a0ceea75442e6cf56303f96b52c6f Mon Sep 17 00:00:00 2001
From: Shyamsundar Ranganathan <srangana@redhat.com>
Date: Tue, 22 Aug 2023 16:19:38 -0400
Subject: [PATCH] Update hub RBAC to include Placement finalizer "update"

As per [1] when setting owner references to a resource and
specifically while setting blockOwnerDeletion to true, an
RBAC to update the finalizer of the resource set as the owner
is required.

This commit adds the required RBAC for the same.

[1] https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement

Signed-off-by: Shyamsundar Ranganathan <srangana@redhat.com>
(cherry picked from commit 11b77299c2caab78cb37c904218015de68906de2)
---
 config/hub/rbac/role.yaml                    | 6 ++++++
 config/rbac/role.yaml                        | 7 +++++++
 controllers/drplacementcontrol_controller.go | 3 ++-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/config/hub/rbac/role.yaml b/config/hub/rbac/role.yaml
index 63d6d8aae..415ac0f95 100644
--- a/config/hub/rbac/role.yaml
+++ b/config/hub/rbac/role.yaml
@@ -99,6 +99,12 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - cluster.open-cluster-management.io
+  resources:
+  - placements/finalizers
+  verbs:
+  - update
 - apiGroups:
   - policy.open-cluster-management.io
   resources:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 6d04ba431..2b87f0bb7 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -103,7 +103,14 @@ rules:
   verbs:
   - get
   - list
+  - update
   - watch
+- apiGroups:
+  - cluster.open-cluster-management.io
+  resources:
+  - placements/finalizers
+  verbs:
+  - update
 - apiGroups:
   - ""
   resources:
diff --git a/controllers/drplacementcontrol_controller.go b/controllers/drplacementcontrol_controller.go
index b63f389bf..16a3a1aea 100644
--- a/controllers/drplacementcontrol_controller.go
+++ b/controllers/drplacementcontrol_controller.go
@@ -566,7 +566,8 @@ func (r *DRPlacementControlReconciler) SetupWithManager(mgr ctrl.Manager) error
 // +kubebuilder:rbac:groups=core,resources=events,verbs=get;create;patch;update
 // +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placementdecisions,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placementdecisions/status,verbs=get;update;patch
-// +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placements,verbs=get;list;watch
+// +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placements,verbs=get;list;watch;update
+// +kubebuilder:rbac:groups=cluster.open-cluster-management.io,resources=placements/finalizers,verbs=update
 // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=secrets,verbs=get;list;watch;create;update;patch;delete