Missing nodes/finalizers permisisons

[manfuin]

At least when running on the later OKD, controller failed to create a Jobs due to missing nodes/finalizers permisisons. Adding following to RBAC:

  - apiGroups: [""]
    resources: ["nodes/finalizers"]
    verbs: ["list", "watch", "get", "delete", "update", "patch"]

fixes the issue. Might be less verbs needed to more strict compliance.

[manfuin]

after further testing it is turned out "jobs/finalizers" permissions needs to be added as well for after-hook, otherwise it failed to create job with the same error:

E0705 22:00:55.312683 1 job_controller.go:272] Failed to create new Job : jobs.batch "fence--after-hook" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: ,