Skip to content

ROSAENG-14287: fix(clusterrole): allow system:admin (Hive) to delete protected ClusterRoles#592

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
joshbranham:fix/allow-hive-delete-backplane-clusterroles
Jul 4, 2026
Merged

ROSAENG-14287: fix(clusterrole): allow system:admin (Hive) to delete protected ClusterRoles#592
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
joshbranham:fix/allow-hive-delete-backplane-clusterroles

Conversation

@joshbranham

@joshbranham joshbranham commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Hive uses system:admin to manage resources on target clusters. When a SyncSet is removed, Hive needs to delete the ClusterRoles it previously created. The webhook was denying these deletions because system:admin was explicitly excluded from the system: user bypass and was not in the allowedUsers list.

- failureMessage: '[failed to delete rbac.authorization.k8s.io/v1, Kind=ClusterRole
        /backplane-lpsre-admins-project: could not delete resource: admission webhook
        "clusterroles-validation.managed.openshift.io" denied the request: Deleting
        ClusterRole backplane-lpsre-admins-project is not allowed, failed to delete
        rbac.authorization.k8s.io/v1, Kind=ClusterRole /backplane-lpsre-monitoring-project:
        could not delete resource: admission webhook "clusterroles-validation.managed.openshift.io"
        denied the request: Deleting ClusterRole backplane-lpsre-monitoring-project
        is not allowed, failed to delete rbac.authorization.k8s.io/v1, Kind=ClusterRole
        /backplane-lpsre-package-operator-cluster: could not delete resource: admission
        webhook "clusterroles-validation.managed.openshift.io" denied the request:
        Deleting ClusterRole backplane-lpsre-package-operator-cluster is not allowed,
        failed to delete rbac.authorization.k8s.io/v1, Kind=ClusterRole /backplane-lpsre-package-operator-project:
        could not delete resource: admission webhook "clusterroles-validation.managed.openshift.io"
        denied the request: Deleting ClusterRole backplane-lpsre-package-operator-project
        is not allowed]'
      firstSuccessTime: "2026-03-27T08:25:17Z"
      lastTransitionTime: "2026-04-08T07:05:06Z"
      name: backplane-lpsre-addon-cert-manager-operator

Summary by CodeRabbit

  • Bug Fixes
    • Expanded ClusterRole deletion permissions so system:admin is now allowed to delete protected roles in approved cases.
    • Improved handling for protected “backplane” roles, reducing unexpected authorization failures during deletion.
    • Added coverage for these permission scenarios to help prevent regressions.

…erRoles

Hive uses system:admin to manage resources on target clusters. When a
SyncSet is removed, Hive needs to delete the backplane-* ClusterRoles it
previously created. The webhook was denying these deletions because
system:admin was explicitly excluded from the system: user bypass and
was not in the allowedUsers list.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@joshbranham joshbranham self-assigned this Jul 4, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 4, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 4, 2026

Copy link
Copy Markdown

@joshbranham: This pull request references ROSAENG-14287 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Hive uses system:admin to manage resources on target clusters. When a SyncSet is removed, Hive needs to delete the backplane-* ClusterRoles it previously created. The webhook was denying these deletions because system:admin was explicitly excluded from the system: user bypass and was not in the allowedUsers list.

When a SyncSet is deleted, and it had a ClusterRole, hive cannot successfully delete it, leading to errors like this:

- failureMessage: '[failed to delete rbac.authorization.k8s.io/v1, Kind=ClusterRole
       /backplane-lpsre-admins-project: could not delete resource: admission webhook
       "clusterroles-validation.managed.openshift.io" denied the request: Deleting
       ClusterRole backplane-lpsre-admins-project is not allowed, failed to delete
       rbac.authorization.k8s.io/v1, Kind=ClusterRole /backplane-lpsre-monitoring-project:
       could not delete resource: admission webhook "clusterroles-validation.managed.openshift.io"
       denied the request: Deleting ClusterRole backplane-lpsre-monitoring-project
       is not allowed, failed to delete rbac.authorization.k8s.io/v1, Kind=ClusterRole
       /backplane-lpsre-package-operator-cluster: could not delete resource: admission
       webhook "clusterroles-validation.managed.openshift.io" denied the request:
       Deleting ClusterRole backplane-lpsre-package-operator-cluster is not allowed,
       failed to delete rbac.authorization.k8s.io/v1, Kind=ClusterRole /backplane-lpsre-package-operator-project:
       could not delete resource: admission webhook "clusterroles-validation.managed.openshift.io"
       denied the request: Deleting ClusterRole backplane-lpsre-package-operator-project
       is not allowed]'
     firstSuccessTime: "2026-03-27T08:25:17Z"
     lastTransitionTime: "2026-04-08T07:05:06Z"
     name: backplane-lpsre-addon-cert-manager-operator

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Walkthrough

This PR adds system:admin to the allowedUsers allowlist in the ClusterRole deletion webhook and updates the test suite with a new backplane ClusterRole fixture, harness switch logic, and additional positive test cases validating the new allowance.

Changes

ClusterRole Deletion Allowlist

Layer / File(s) Summary
Allowlist update
pkg/webhooks/clusterrole/clusterrole.go
Adds system:admin to the allowedUsers set used to authorize deletion requests.
Test fixtures and coverage
pkg/webhooks/clusterrole/clusterrole_test.go
Adds a testBackplaneClusterRoleJSON fixture, converts the test harness's clusterRoleJSON selection to a switch statement handling backplane-lpsre-admins-project, and adds two new positive test cases for system:admin targeting backplane and cluster-admin roles.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The changed tests use fixed string IDs only; no Ginkgo/t.Run titles interpolate names, timestamps, UUIDs, or other dynamic data.
Test Structure And Quality ✅ Passed Not a Ginkgo suite; these are table-driven unit tests, and the new cases follow the repo’s existing webhook test pattern without resource setup or waits.
Microshift Test Compatibility ✅ Passed Only pkg/webhooks unit tests changed; no new Ginkgo e2e It/Describe tests were added, so MicroShift-specific compatibility rules don’t apply.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests were added; the changed file is a standard Go unit test with no multi-node/SNO assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed Only the clusterrole webhook allowlist and tests changed; no manifests, replicas, node selectors, affinity, or topology-aware scheduling logic were introduced.
Ote Binary Stdout Contract ✅ Passed The PR only edits webhook allowlist/test fixtures; no main/init/TestMain/suite setup or stdout writes were added in the touched package.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Modified tests are plain unit tests; no Ginkgo e2e, IPv4 literals, host/IP parsing, or external network calls were added.
No-Weak-Crypto ✅ Passed Touched files only add authorization allowlist/test cases; no weak crypto, custom crypto, or secret/token comparisons found.
Container-Privileges ✅ Passed The PR only changes webhook allowlist and tests; no container/K8s manifests or securityContext settings like privileged/hostPID/allowPrivilegeEscalation were added.
No-Sensitive-Data-In-Logs ✅ Passed No new logging was introduced; the diff only adds system:admin to an allowlist and new test fixtures, while existing log calls remain unchanged.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: allowing system:admin to delete protected ClusterRoles.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 4, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
pkg/webhooks/clusterrole/clusterrole.go (1)

56-59: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider reusing the shared utils.IsClusterAdmin() check instead of a local allowlist.

The repository's documented authorization hierarchy already centralizes kube:admin, system:admin, and backplane-cluster-admin under utils.IsClusterAdmin(). Maintaining a second, webhook-local allowedUsers list duplicates that logic and risks drifting out of sync (e.g., kube:admin is not in this list even though it's a cluster-admin identity per the documented hierarchy).

As per coding guidelines, "Cluster Admins - utils.IsClusterAdmin() - kube:admin, system:admin, backplane-cluster-admin" is the established pattern; consider calling that helper here rather than growing this bespoke list.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/webhooks/clusterrole/clusterrole.go` around lines 56 - 59, The webhook in
clusterrole.go is maintaining a local allowedUsers allowlist that duplicates
cluster-admin authorization logic and can drift from the shared hierarchy.
Update the cluster role webhook to use utils.IsClusterAdmin() instead of
hardcoding identities in allowedUsers, so the authorization check consistently
covers kube:admin, system:admin, and backplane-cluster-admin through the shared
helper.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/webhooks/clusterrole/clusterrole.go`:
- Around line 56-59: The webhook in clusterrole.go is maintaining a local
allowedUsers allowlist that duplicates cluster-admin authorization logic and can
drift from the shared hierarchy. Update the cluster role webhook to use
utils.IsClusterAdmin() instead of hardcoding identities in allowedUsers, so the
authorization check consistently covers kube:admin, system:admin, and
backplane-cluster-admin through the shared helper.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: eb9f26d9-03b5-4c0f-9908-3634e08d8e28

📥 Commits

Reviewing files that changed from the base of the PR and between 8fcc010 and 6937c1e.

📒 Files selected for processing (2)
  • pkg/webhooks/clusterrole/clusterrole.go
  • pkg/webhooks/clusterrole/clusterrole_test.go

@openshift-ci

openshift-ci Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

@joshbranham: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@feichashao

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 4, 2026
@openshift-ci

openshift-ci Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feichashao, joshbranham

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [feichashao,joshbranham]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit 335ae06 into openshift:master Jul 4, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants