UPSTREAM: 49133: add controller permissions to set blockOwnerDeletion

:100644 100644 93834cb040... 5c4287925b... M	plugin/pkg/admission/gc/gc_admission.go
:100644 100644 4d7a6aac6a... 691be3da3b... M	plugin/pkg/admission/gc/gc_admission_test.go
:100644 100644 a040a311f2... 942fc0ac0e... M	plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
:100644 100644 fd67e7b7a4... 1a56a0a901... M	plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml

Author: deads2k

Diff for: plugin/pkg/admission/gc/gc_admission.go

@@ -122,7 +122,7 @@ func (a *gcPermissionsEnforcement) Admit(attributes admission.Attributes) (err e
 		for _, record := range records {
 			allowed, reason, err := a.authorizer.Authorize(record)
 			if !allowed {
-				return admission.NewForbidden(attributes, fmt.Errorf("cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't delete: %v, %v", reason, err))
+				return admission.NewForbidden(attributes, fmt.Errorf("cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: %v, %v", reason, err))
 			}
 		}
 	}
@@ -178,12 +178,13 @@ func (a *gcPermissionsEnforcement) ownerRefToDeleteAttributeRecords(ref metav1.O
 	for _, mapping := range mappings {
 		ret = append(ret, authorizer.AttributesRecord{
 			User: attributes.GetUserInfo(),
-			Verb: "delete",
+			Verb: "update",
 			// ownerReference can only refer to an object in the same namespace, so attributes.GetNamespace() equals to the owner's namespace
 			Namespace:       attributes.GetNamespace(),
 			APIGroup:        groupVersion.Group,
 			APIVersion:      groupVersion.Version,
 			Resource:        mapping.Resource,
+			Subresource:     "finalizers",
 			Name:            ref.Name,
 			ResourceRequest: true,
 			Path:            "",

Diff for: plugin/pkg/admission/gc/gc_admission_test.go

@@ -39,20 +39,29 @@ func (fakeAuthorizer) Authorize(a authorizer.Attributes) (bool, string, error) {
 		if a.GetVerb() == "delete" {
 			return false, "", nil
 		}
+		if a.GetVerb() == "update" && a.GetSubresource() == "finalizers" {
+			return false, "", nil
+		}
 		return true, "", nil
 	}
 
 	if username == "non-pod-deleter" {
 		if a.GetVerb() == "delete" && a.GetResource() == "pods" {
 			return false, "", nil
 		}
+		if a.GetVerb() == "update" && a.GetResource() == "pods" && a.GetSubresource() == "finalizers" {
+			return false, "", nil
+		}
 		return true, "", nil
 	}
 
 	if username == "non-rc-deleter" {
 		if a.GetVerb() == "delete" && a.GetResource() == "replicationcontrollers" {
 			return false, "", nil
 		}
+		if a.GetVerb() == "update" && a.GetResource() == "replicationcontrollers" && a.GetSubresource() == "finalizers" {
+			return false, "", nil
+		}
 		return true, "", nil
 	}
 
@@ -326,7 +335,10 @@ func TestBlockOwnerDeletionAdmission(t *testing.T) {
 		return err == nil
 	}
 	expectCantSetBlockOwnerDeletionError := func(err error) bool {
-		return strings.Contains(err.Error(), "cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't delete")
+		if err == nil {
+			return false
+		}
+		return strings.Contains(err.Error(), "cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on")
 	}
 	tests := []struct {
 		name        string

Diff for: plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go

@@ -71,18 +71,20 @@ func init() {
 	addControllerRole(rbac.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "cronjob-controller"},
 		Rules: []rbac.PolicyRule{
-			rbac.NewRule("get", "list", "watch", "update", "delete").Groups(batchGroup).Resources("cronjobs").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch", "update").Groups(batchGroup).Resources("cronjobs").RuleOrDie(),
 			rbac.NewRule("get", "list", "watch", "create", "update", "delete", "patch").Groups(batchGroup).Resources("jobs").RuleOrDie(),
 			rbac.NewRule("update").Groups(batchGroup).Resources("cronjobs/status").RuleOrDie(),
+			rbac.NewRule("update").Groups(batchGroup).Resources("cronjobs/finalizers").RuleOrDie(),
 			rbac.NewRule("list", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
 			eventsRule(),
 		},
 	})
 	addControllerRole(rbac.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "daemon-set-controller"},
 		Rules: []rbac.PolicyRule{
-			rbac.NewRule("get", "list", "watch", "delete").Groups(extensionsGroup).Resources("daemonsets").RuleOrDie(),
-			rbac.NewRule("update").Groups(extensionsGroup).Resources("daemonsets/status").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(extensionsGroup, appsGroup).Resources("daemonsets").RuleOrDie(),
+			rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("daemonsets/status").RuleOrDie(),
+			rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("daemonsets/finalizers").RuleOrDie(),
 			rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("nodes").RuleOrDie(),
 			rbac.NewRule("list", "watch", "create", "delete", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
 			rbac.NewRule("create").Groups(legacyGroup).Resources("pods/binding").RuleOrDie(),
@@ -93,8 +95,9 @@ func init() {
 	addControllerRole(rbac.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "deployment-controller"},
 		Rules: []rbac.PolicyRule{
-			rbac.NewRule("get", "list", "watch", "update", "delete").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup, appsGroup).Resources("deployments").RuleOrDie(),
 			rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/status").RuleOrDie(),
+			rbac.NewRule("update").Groups(extensionsGroup, appsGroup).Resources("deployments/finalizers").RuleOrDie(),
 			rbac.NewRule("get", "list", "watch", "create", "update", "patch", "delete").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
 			// TODO: remove "update" once
 			// https://github.com/kubernetes/kubernetes/issues/36897 is resolved.
@@ -151,8 +154,9 @@ func init() {
 	addControllerRole(rbac.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "job-controller"},
 		Rules: []rbac.PolicyRule{
-			rbac.NewRule("get", "list", "watch", "update", "delete").Groups(batchGroup).Resources("jobs").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch", "update").Groups(batchGroup).Resources("jobs").RuleOrDie(),
 			rbac.NewRule("update").Groups(batchGroup).Resources("jobs/status").RuleOrDie(),
+			rbac.NewRule("update").Groups(batchGroup).Resources("jobs/finalizers").RuleOrDie(),
 			rbac.NewRule("list", "watch", "create", "delete", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
 			eventsRule(),
 		},
@@ -208,8 +212,9 @@ func init() {
 	addControllerRole(rbac.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "replicaset-controller"},
 		Rules: []rbac.PolicyRule{
-			rbac.NewRule("get", "list", "watch", "update", "delete").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch", "update").Groups(extensionsGroup).Resources("replicasets").RuleOrDie(),
 			rbac.NewRule("update").Groups(extensionsGroup).Resources("replicasets/status").RuleOrDie(),
+			rbac.NewRule("update").Groups(extensionsGroup).Resources("replicasets/finalizers").RuleOrDie(),
 			rbac.NewRule("list", "watch", "patch", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
 			eventsRule(),
 		},
@@ -218,8 +223,9 @@ func init() {
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "replication-controller"},
 		Rules: []rbac.PolicyRule{
 			// 1.0 controllers needed get, update, so without these old controllers break on new servers
-			rbac.NewRule("get", "list", "watch", "update", "delete").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("replicationcontrollers").RuleOrDie(),
 			rbac.NewRule("update").Groups(legacyGroup).Resources("replicationcontrollers/status").RuleOrDie(),
+			rbac.NewRule("update").Groups(legacyGroup).Resources("replicationcontrollers/finalizers").RuleOrDie(),
 			rbac.NewRule("list", "watch", "patch", "create", "delete").Groups(legacyGroup).Resources("pods").RuleOrDie(),
 			eventsRule(),
 		},
@@ -261,8 +267,9 @@ func init() {
 		ObjectMeta: metav1.ObjectMeta{Name: saRolePrefix + "statefulset-controller"},
 		Rules: []rbac.PolicyRule{
 			rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
-			rbac.NewRule("get", "list", "watch", "delete").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
+			rbac.NewRule("get", "list", "watch").Groups(appsGroup).Resources("statefulsets").RuleOrDie(),
 			rbac.NewRule("update").Groups(appsGroup).Resources("statefulsets/status").RuleOrDie(),
+			rbac.NewRule("update").Groups(appsGroup).Resources("statefulsets/finalizers").RuleOrDie(),
 			rbac.NewRule("get", "create", "delete", "update", "patch").Groups(legacyGroup).Resources("pods").RuleOrDie(),
 			rbac.NewRule("get", "create", "delete", "update", "patch", "list", "watch").Groups(appsGroup).Resources("controllerrevisions").RuleOrDie(),
 			rbac.NewRule("get", "create").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(),

Diff for: plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml

@@ -102,7 +102,6 @@ items:
     resources:
     - cronjobs
     verbs:
-    - delete
     - get
     - list
     - update
@@ -125,6 +124,12 @@ items:
     - cronjobs/status
     verbs:
     - update
+  - apiGroups:
+    - batch
+    resources:
+    - cronjobs/finalizers
+    verbs:
+    - update
   - apiGroups:
     - ""
     resources:
@@ -151,20 +156,28 @@ items:
     name: system:controller:daemon-set-controller
   rules:
   - apiGroups:
+    - apps
     - extensions
     resources:
     - daemonsets
     verbs:
-    - delete
     - get
     - list
     - watch
   - apiGroups:
+    - apps
     - extensions
     resources:
     - daemonsets/status
     verbs:
     - update
+  - apiGroups:
+    - apps
+    - extensions
+    resources:
+    - daemonsets/finalizers
+    verbs:
+    - update
   - apiGroups:
     - ""
     resources:
@@ -223,7 +236,6 @@ items:
     resources:
     - deployments
     verbs:
-    - delete
     - get
     - list
     - update
@@ -235,6 +247,13 @@ items:
     - deployments/status
     verbs:
     - update
+  - apiGroups:
+    - apps
+    - extensions
+    resources:
+    - deployments/finalizers
+    verbs:
+    - update
   - apiGroups:
     - extensions
     resources:
@@ -495,7 +514,6 @@ items:
     resources:
     - jobs
     verbs:
-    - delete
     - get
     - list
     - update
@@ -506,6 +524,12 @@ items:
     - jobs/status
     verbs:
     - update
+  - apiGroups:
+    - batch
+    resources:
+    - jobs/finalizers
+    verbs:
+    - update
   - apiGroups:
     - ""
     resources:
@@ -742,7 +766,6 @@ items:
     resources:
     - replicasets
     verbs:
-    - delete
     - get
     - list
     - update
@@ -753,6 +776,12 @@ items:
     - replicasets/status
     verbs:
     - update
+  - apiGroups:
+    - extensions
+    resources:
+    - replicasets/finalizers
+    verbs:
+    - update
   - apiGroups:
     - ""
     resources:
@@ -786,7 +815,6 @@ items:
     resources:
     - replicationcontrollers
     verbs:
-    - delete
     - get
     - list
     - update
@@ -797,6 +825,12 @@ items:
     - replicationcontrollers/status
     verbs:
     - update
+  - apiGroups:
+    - ""
+    resources:
+    - replicationcontrollers/finalizers
+    verbs:
+    - update
   - apiGroups:
     - ""
     resources:
@@ -962,7 +996,6 @@ items:
     resources:
     - statefulsets
     verbs:
-    - delete
     - get
     - list
     - watch
@@ -972,6 +1005,12 @@ items:
     - statefulsets/status
     verbs:
     - update
+  - apiGroups:
+    - apps
+    resources:
+    - statefulsets/finalizers
+    verbs:
+    - update
   - apiGroups:
     - ""
     resources: