ROSAENG-14287: fix(clusterrole): allow system:admin (Hive) to delete protected ClusterRoles#592
Conversation
…erRoles Hive uses system:admin to manage resources on target clusters. When a SyncSet is removed, Hive needs to delete the backplane-* ClusterRoles it previously created. The webhook was denying these deletions because system:admin was explicitly excluded from the system: user bypass and was not in the allowedUsers list. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
@joshbranham: This pull request references ROSAENG-14287 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughThis PR adds ChangesClusterRole Deletion Allowlist
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
pkg/webhooks/clusterrole/clusterrole.go (1)
56-59: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider reusing the shared
utils.IsClusterAdmin()check instead of a local allowlist.The repository's documented authorization hierarchy already centralizes
kube:admin,system:admin, andbackplane-cluster-adminunderutils.IsClusterAdmin(). Maintaining a second, webhook-localallowedUserslist duplicates that logic and risks drifting out of sync (e.g.,kube:adminis not in this list even though it's a cluster-admin identity per the documented hierarchy).As per coding guidelines, "Cluster Admins -
utils.IsClusterAdmin()-kube:admin,system:admin,backplane-cluster-admin" is the established pattern; consider calling that helper here rather than growing this bespoke list.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/webhooks/clusterrole/clusterrole.go` around lines 56 - 59, The webhook in clusterrole.go is maintaining a local allowedUsers allowlist that duplicates cluster-admin authorization logic and can drift from the shared hierarchy. Update the cluster role webhook to use utils.IsClusterAdmin() instead of hardcoding identities in allowedUsers, so the authorization check consistently covers kube:admin, system:admin, and backplane-cluster-admin through the shared helper.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@pkg/webhooks/clusterrole/clusterrole.go`:
- Around line 56-59: The webhook in clusterrole.go is maintaining a local
allowedUsers allowlist that duplicates cluster-admin authorization logic and can
drift from the shared hierarchy. Update the cluster role webhook to use
utils.IsClusterAdmin() instead of hardcoding identities in allowedUsers, so the
authorization check consistently covers kube:admin, system:admin, and
backplane-cluster-admin through the shared helper.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: eb9f26d9-03b5-4c0f-9908-3634e08d8e28
📒 Files selected for processing (2)
pkg/webhooks/clusterrole/clusterrole.gopkg/webhooks/clusterrole/clusterrole_test.go
|
@joshbranham: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: feichashao, joshbranham The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hive uses system:admin to manage resources on target clusters. When a SyncSet is removed, Hive needs to delete the ClusterRoles it previously created. The webhook was denying these deletions because system:admin was explicitly excluded from the system: user bypass and was not in the allowedUsers list.
Summary by CodeRabbit
system:adminis now allowed to delete protected roles in approved cases.