RBAC resources not deleted on ClusterExtension uninstall #2313
Description
Description
When uninstalling a ClusterExtension, the associated RBAC resources (ClusterRole, ClusterRoleBinding) remain in the cluster even after all related ClusterExtensionRevisions have been deleted.
Expected behavior is that these RBAC objects are garbage collected along with the extension’s revisions and other resources.
Motivation
When a ClusterExtension is deleted, users expect all associated resources, including RBAC, to be fully cleaned up. Leaving ClusterRole and ClusterRoleBinding objects behind leads to lingering permissions after uninstall, making the uninstall experience feel incomplete.
Fixing this aligns the operator-controller with the goal of providing a consistent, declarative install/uninstall lifecycle.
Proposed Fix
- Ensure all objects applied by a ClusterExtensionRevision have ownerReferences to that revision.
- Alternatively, enhance uninstall logic in operator-controller to explicitly remove untracked RBAC objects.
Note: It could be the RBAC phase created by bundle unpacking not setting ownerReferences or not being tracked in .status.installedObjects.