system:kube-scheduler: extend the RBAC with pods/finalizers

When enabling DynamicResourceAllocation the dynamicresource plugin may error during scheduling with: ``` E0212 08:57:53.817268 1 framework.go:1323] "Plugin failed" err="podschedulingcontexts.resource.k8s.io \"pod\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>" plugin="DynamicResources" pod="gpu-test2/pod" ```
2025-07-31 07:20:13 +00:00 · 2024-02-26 13:57:33 +01:00 · 2024-02-26 13:57:33 +01:00 · 0045ef5294
commit 0045ef5294
parent 98bd90fbe2
1 changed files with 1 additions and 0 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@ -580,6 +580,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 			rbacv1helpers.NewRule(ReadUpdate...).Groups(resourceGroup).Resources("resourceclaims/status").RuleOrDie(),
 			rbacv1helpers.NewRule(ReadWrite...).Groups(resourceGroup).Resources("podschedulingcontexts").RuleOrDie(),
 			rbacv1helpers.NewRule(Read...).Groups(resourceGroup).Resources("podschedulingcontexts/status").RuleOrDie(),
+			rbacv1helpers.NewRule(ReadUpdate...).Groups(legacyGroup).Resources("pods/finalizers").RuleOrDie(),
 		)
 	}
 	roles = append(roles, rbacv1.ClusterRole{