readd required buildrun permission when OwnerRefererencesPermissionEnforcement is enabled

[gabemontero]

Changes

Fixes #806

/kind bug

Submitter Checklist

• Includes tests if functionality changed/was added
• Includes docs if changes are user-facing
• Set a kind label on this PR
• [/ ] Release notes block has been filled in, or marked NONE

See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.

Release Notes

Use of the OwnerRefererencesPermissionEnforcement admission controller was broken because of permission reductions introduced in v0.5.0.  The required permissions have been reintroduced.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from gabemontero after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gabemontero]

/assign @imjasonh

I believe the final determination of what from your RBAC PR caused this is in #806 (comment)

[imjasonh]

Suggested change

	# This permission is required by the OwnerReferencesPermissionEnforcement admission controller,
	# which requires that controllers wishing to set OwnerReferences with blockOwnerDeletion have permission
	# to update finalizers on the owner resource.

[gabemontero]

comment added @imjasonh

[adambkaplan]

Won't we need permission to delete BuildRun objects, since we make the Build parent an owner?

See also #807 - I've updated our KinD config to enable the admission controllers that OpenShift uses.

[gabemontero]

Won't we need permission to delete BuildRun objects, since we make the Build parent an owner?

Those permissions were not needed in my testing to execute a build run on openshift 4.8.

See also #807 - I've updated our KinD config to enable the admission controllers that OpenShift uses.

Yep, ideally we see a similar failure with that new test, and then after merging this change, those failures go away.

[gabemontero]

Won't we need permission to delete BuildRun objects, since we make the Build parent an owner?

Those permissions were not needed in my testing to execute a build run on openshift 4.8.

See also #807 - I've updated our KinD config to enable the admission controllers that OpenShift uses.

Yep, ideally we see a similar failure with that new test, and then after merging this change, those failures go away.

fwiw @adambkaplan I created a new 4.8 cluster today, deployed the current pipelines release from operator hub, and did a ko apply -R -f ./deploy from my local branch with only this commit's rbac changes (i.e. only adding the 'update' perm for buildruns/finalizer) and was able to create buildruns and taskruns off of a shipwright build / buildstrategy

[sbose78]

Nice! After this goes in, should we be releasing a 0.5.1 ? cc @qu1queee

[gabemontero]

As https://github.com/shipwright-io/build/pull/807/files contains this change, plus additional perms and testing enablement, I'm closing this out