From ebc5b208ae63e33fa5ae2825226fa8eb299fc178 Mon Sep 17 00:00:00 2001
From: Jan Safranek <jsafrane@redhat.com>
Date: Thu, 24 Nov 2022 14:46:42 +0100
Subject: [PATCH] Fix OwnerReferencesPermissionEnforcement complaints when
 autodeleting PVCs

When StatefulSetAutoDeletePVC feature gate is enabled, StatefulSet
controller updates ownerReferences on managed PVCs. To be able to pass
OwnerReferencesPermissionEnforcement admission, it must have permissions to
delete PVCs.
---
 .../auth/authorizer/rbac/bootstrappolicy/controller_policy.go   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
index cbae6c311aa..1ad9ac11e5a 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
@@ -384,7 +384,7 @@ func buildControllerRoles() ([]rbacv1.ClusterRole, []rbacv1.ClusterRoleBinding)
 		}
 
 		if utilfeature.DefaultFeatureGate.Enabled(features.StatefulSetAutoDeletePVC) {
-			role.Rules = append(role.Rules, rbacv1helpers.NewRule("update").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie())
+			role.Rules = append(role.Rules, rbacv1helpers.NewRule("update", "delete").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie())
 		}
 
 		return role