don't block creation on lack of delete powers

[deads2k]

Create and delete aren't the same thing, but the alternatives seem worse. This stops checking for deletion powers on create.

WIP so we don't accidentally merge this without an upstream pull.

@bparees @openshift/sig-master

[soltysh]

Create and delete aren't the same thing, but the alternatives seem worse. This stops checking for deletion powers on create.

Where this is coming from that we need to open the discussion for changing it?

[liggitt]

Where this is coming from that we need to open the discussion for changing it?

template service broker sets up ownerref relationships on created objects at creation time. we don't really want to give it delete permissions just to pass this check. it doesn't seem unreasonable to let the creator of an object declare an owning object. protecting against an update by someone without delete permission adding an ownerref and triggering deletion is more valuable.

[enj]

it doesn't seem unreasonable to let the creator of an object declare an owning object

That sounds OK. I am wondering if there are any weird read semantics we need to consider. For example, can you probe for the existence of resource A (that you cannot see) by setting ownerrefs on resource B (which you own) and seeing if your resource B gets immediately GC'd? I am not sure what that gets you, but it does remind of blind SQL injection attacks.

@openshift/sig-security

[liggitt]

You need to know the uid...

[tnozicka]

+1; I have hit the same issue as service catalog with openshift-acme

[enj]

You need to know the uid...

Ah I forgot about that. Do not really see any issue with this then.

[deads2k]

Opened upstream. Ready for review. This is not a clean pick.

[deads2k]

/retest

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/integration/OWNERS [deads2k]
• vendor/k8s.io/kubernetes/plugin/pkg/admission/OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liggitt]

/lgtm

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@deads2k: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/unit	410094c	link	/test unit

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.