Postgres Operator Cluster Role v1.13 lacks "patch" privilege for PVCs

[emrahbecer]

Please, answer some short questions which should help us to understand your problem / question better?

• Which image of the operator are you using? spilo-13:2.0-p6
• Where do you run it - cloud or metal? Kubernetes or OpenShift? Bare Metal K8s
• Are you running Postgres Operator in production? no
• Type of issue? Bug

Hello, We've upgraded our operator to version 1.13. During sync, the operator tries to patch the annotations of PVCs however it fails due to cluster role lacking "patch" privilege for PVCs. For ex:

level=warning msg="error while syncing cluster state: could not sync persistent volume claims: could not patch annotations of the persistent volume claim for volume \"pgdata-postgresql-upgraded-db-cluster-0\": persistentvolumeclaims \"pgdata-postgresql-upgraded-db-cluster-0\" is forbidden: User \"system:serviceaccount:postgres-operator:postgres-operator\" cannot patch resource \"persistentvolumeclaims\" in API group \"\" in the namespace \"postgresql-upgraded\"" cluster-name=postgresql-upgraded/postgresql-upgraded-db-cluster pkg=cluster

Here (https://github.com/zalando/postgres-operator/blob/master/charts/postgres-operator/templates/clusterrole.yaml#L144) it seems the "patch" privilege is only granted to those who use "storage_resize_mode:pvc"

We use storage_resize_mode:off but the operator still tries to patch annotations.

Recommendation: The "patch" privilege should be given as a default regardless of the value of storage_resize_mode parameter. In my environment the below configuration solved the problem:

resources:

• persistentvolumeclaims verbs:
• delete
• get
• list
• patch {{- if toString .Values.configKubernetes.storage_resize_mode | eq "pvc" }}
• update {{- end }}

Thank you. Emrah.