From 1d8ddd2e148498fad047d49019f275b091639fe0 Mon Sep 17 00:00:00 2001
From: Sunil Thaha <sthaha@redhat.com>
Date: Fri, 1 Mar 2019 20:53:29 +1000
Subject: [PATCH] Fix WebHook controller crashing on minishift

Installing tekton on minishift fails to bring up webhook-controller pod
due missing RBAC policy. Pod logs shows the following error
``` json
{
  "level":"error",
  "logger":"webhook",
  "caller":"webhook/webhook.go:310" ,
  "msg":"failed to register webhook"
  "knative.dev/controller":"webhook"
  "error":"failed to create a webhook: mutatingwebhookconfigurations.admissionregistration.k8s.io
      \"webhook.tekton.dev\" is forbidden:
      cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: no RBAC policy matched
 "
"stacktrace":"
  github.com/knative/build-pipeline/vendor/github.com/knative/pkg/webhook.(*AdmissionController).Run
      /usr/local/google/home/jasonhall/go/src/github.com/knative/build-pipeline/vendor/github.com/knative/pkg/webhook/webhook.go:310
  main.main
      /usr/local/google/home/jasonhall/go/src/github.com/knative/build-pipeline/cmd/webhook/main.go:97"
}
```

This patch fixes it by adding the missing rules for
`deployments/finailizer` resource to the cluster-role.
---
 config/200-clusterrole.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
index dd9636177a1..4003a8ceef5 100644
--- a/config/200-clusterrole.yaml
+++ b/config/200-clusterrole.yaml
@@ -9,6 +9,9 @@ rules:
   - apiGroups: ["extensions"]
     resources: ["deployments"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["deployments/finalizers"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["mutatingwebhookconfigurations"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]