RBAC flinkdeployments/finalizers missing for OpenShift Deployment

In OpenShift 4.10 and above, I'm noticing with the Flink 1.5.0 RC release that there's an issue with flinkdeployments on OpenShift.  Flinkdeployments are stuck in upgrading:

oc get flinkdep

NAME                                    JOB STATUS   LIFECYCLE STATE

basic-example                                        UPGRADING

The error message looks like:

oc describe flinkdep basic-example

....

Error:                         

Unknown macro: {"type"}

,{"type":"org.apache.flink.kubernetes.shaded.io.fabric8.kubernetes.client.KubernetesClientException","message":"Failure executing: POST at: https://172.30.0.1/apis/apps/v1/namespaces/default/deployments. Message: Forbidden!Configured service account doesn't have access. Service account may have been revoked. deployments.apps \"basic-example\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>."}]}

 

Job Manager Deployment Status:  MISSING

The solution is to fix it in the rbac.yaml of the helm template, adding a "  - flinkdeployments/finalizers" line to the flink.apache.org apiGroup.

If the Operator is already running and flinkdeployments are having trouble on OpenShift, then someone can manually edit the flink-kubernetes-operator.v1.5.0 clusterrole and add the

"  - flinkdeployments/finalizers" in the flink.apache.org apiGroup.

I'll create a PR that addresses this.