[release-4.19] Avoid using lb-ext.kubeconfig for seedgen cleanup#6881
Conversation
This is a *manual* cherry-pick of openshift-kni#6008, with an additional RBAC fix: add pod delete permission to the seedgen controller's kubebuilder RBAC annotation. On main, switching from `oc delete pod` (authenticated via lb-ext.kubeconfig) to `r.Client.Delete()` (authenticated via the controller's service account) worked because an unrelated commit d756889 ("MGMT-21789: Add new feature for deleting pods stuck in ImagePullBackOff error") had already added the pod delete verb to the ClusterRole. That commit is not in release-4.19, so on a clean cherry-pick the service account lacked the permission and pod cleanup during seed generation will fail with a forbidden error: ``` 2026-05-15T15:06:58.207369896Z 2026-05-15T15:06:58Z ERROR controllers.SeedGenerator Seed generation failed {"error": "failed to cleanup Succeeded pods: failed to delete pod openshift-kube-scheduler/installer-5-retry-1-seed-sno-node: pods \"installer-5-retry-1-seed-sno-node\" is forbidden: User \"system:serviceaccount:openshift-lifecycle-agent:lifecycle-agent-controller-manager\" cannot delete resource \"pods\" in API group \"\" in the namespace \"openshift-kube-scheduler\""} ``` The original kubebuilder annotation was never updated to include delete when the code was changed to use the client — it was simply masked on main by the MGMT-21789 RBAC addition. This commit fixes the annotation at the source so the permission is explicitly tied to the code that needs it.
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
omertuc
changed the title
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jc-rh The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
openshift-merge-bot
Bot
merged commit a7d726c
into
openshift-kni:release-4.19
|
/cherrypick release-4.18 release-4.17 release-4.16 |
|
@jc-rh: new pull request created: #6884 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
3 participants
This is a manual cherry-pick of #6008, with an additional RBAC fix: add pod delete permission to the seedgen controller's kubebuilder RBAC annotation.
On main, switching from
oc delete pod(authenticated via lb-ext.kubeconfig) tor.Client.Delete()(authenticated via the controller's service account) worked because an unrelated commit d756889 ("MGMT-21789: Add new feature for deleting pods stuck in ImagePullBackOff error") had already added the pod delete verb to the ClusterRole. That commit is not in release-4.19, so on a clean cherry-pick the service account lacked the permission and pod cleanup during seed generation will fail with a forbidden error:The original kubebuilder annotation was never updated to include delete when the code was changed to use the client — it was simply masked on main by the MGMT-21789 RBAC addition. This commit fixes the annotation at the source so the permission is explicitly tied to the code that needs it.