Fails to reconcile on openshift: invalid RBAC for providerconfigusages.gcp.upbound.io

[gberche-orange]

What happened?

Trying to use upbound/provider-gcp provider on openshift 4.10 where the k8s api plugin the OwnerReferencesPermissionEnforcement is turned on by default,, the MR never reconciles and displays the following error message

   message: 'connect failed: cannot get terraform setup: cannot track ProviderConfig usage: 
   cannot apply ProviderConfigUsage: cannot create object: providerconfigusages.gcp.upbound.io
      "ad06b191-1412-432b-bc6a-435f43de0228" is forbidden: cannot set blockOwnerDeletion
      if an ownerReference refers to a resource you can''t set finalizers on: , <nil>'
    reason: ReconcileError

This seems quite similar to https://github.com/crossplane/crossplane/issues/3443

How can we reproduce it?

Turn on the OwnerReferencesPermissionEnforcement plugin (see https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement) in the k8s cluster running upbound/provider-gcp provider integration tests

What environment did it happen in?

• Opensource Crossplane Version: image: crossplane/crossplane:v1.10.1
• Provider Version: xpkg.upbound.io/upbound/provider-gcp:v0.20.0
• Openshift version 1.10

 kubectl version 
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.9", GitCommit:"c1de2d70269039fe55efb98e737d9a29f9155246", GitTreeState:"clean", BuildDate:"2022-07-13T14:26:51Z", GoVersion:"go1.17.11", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5+012e945", GitCommit:"3c28e7a79b58e78b4c1dc1ab7e5f6c6c2d3aedd3", GitTreeState:"clean", BuildDate:"2022-07-13T08:38:41Z", GoVersion:"go1.17.12", Compiler:"gc", Platform:"linux/amd64"}

[gberche-orange]

Workaround for a crossplane installation in the namespace 70-crossplane was for me to apply the following resources:

---
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  annotations:
  labels:
  name: crossplane-provider-upbound-controller-config
spec:
  args:
  - --debug
  podSecurityContext: {}
  securityContext: {}
  serviceAccountName: crossplane-provider-upbound-gcp
---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: upbound-provider-gcp
  namespace: 70-crossplane
spec:
  controllerConfigRef:
    name: crossplane-provider-upbound-controller-config
  package: xpkg.upbound.io/upbound/provider-gcp:v0.20.0
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: crossplane-provider-upbound-gcp
  namespace: 70-crossplane
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: crossplane-provider-upbound-gcp
rules:
- apiGroups:
  - compute.gcp.upbound.io
  - dialogflowcx.gcp.upbound.io
  - monitoring.gcp.upbound.io
  - appengine.gcp.upbound.io
  - storage.gcp.upbound.io
  - privateca.gcp.upbound.io
  - containerazure.gcp.upbound.io
  - container.gcp.upbound.io
  - containeraws.gcp.upbound.io
  - bigquery.gcp.upbound.io
  - servicenetworking.gcp.upbound.io
  - healthcare.gcp.upbound.io
  - essentialcontacts.gcp.upbound.io
  - kms.gcp.upbound.io
  - spanner.gcp.upbound.io
  - sql.gcp.upbound.io
  - identityplatform.gcp.upbound.io
  - cloudrun.gcp.upbound.io
  - datacatalog.gcp.upbound.io
  - composer.gcp.upbound.io
  - notebooks.gcp.upbound.io
  - cloudplatform.gcp.upbound.io
  - cloudfunctions.gcp.upbound.io
  - filestore.gcp.upbound.io
  - redis.gcp.upbound.io
  - cloudscheduler.gcp.upbound.io
  - dataflow.gcp.upbound.io
  - pubsub.gcp.upbound.io
  - dns.gcp.upbound.io
  - gkehub.gcp.upbound.io
  - containeranalysis.gcp.upbound.io
  - osconfig.gcp.upbound.io
  - gcp.upbound.io
  - cloudtasks.gcp.upbound.io
  - firebaserules.gcp.upbound.io
  - sourcerepo.gcp.upbound.io
  - secretmanager.gcp.upbound.io
  - oslogin.gcp.upbound.io
  - eventarc.gcp.upbound.io
  - iap.gcp.upbound.io
  resources:
  - '*'
  - '*/finalizers'
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - create
- apiGroups:
  - ""
  - coordination.k8s.io
  resources:
  - secrets
  - configmaps
  - events
  - leases
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: crossplane-provider-upbound-gcp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: crossplane-provider-upbound-gcp
subjects:
- kind: ServiceAccount
  name: crossplane-provider-upbound-gcp
  namespace: 70-crossplane
---

[github-actions[bot]]

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

[github-actions[bot]]

This issue is being closed since there has been no activity for 14 days since marking it as stale. If you still need help, feel free to comment or reopen the issue!