Description of problem: Uninstalling operator with csv contains the "clusterPermissions" field, related clusterrole,clusterrolebinding and sa can not be deleted Version-Release number of selected component (if applicable): oc version:4.1.0-0.nightly-2019-07-10-210957 OLM version: 0.9.0 commit.url=https://github.com/operator-framework/operator-lifecycle-manager/commit/b45dae333aa3d6e4baa8fb8625eac5d7700c6525 How reproducible: Always Steps to Reproduce: 1.install etcd operator with "Update Channel":"clusterwide-alpha" by web console 2.uninstall etcd operator by web console Actual results: 1.ClusterRole, ClusterRoleBinding, SA created 2.ClusterRole, ClusterRoleBinding, SA are not deleted Expected results: 2.ClusterRole, ClusterRoleBinding, SA should all be deleted Additional info: $ oc get sub -n openshift-operators NAME PACKAGE SOURCE CHANNEL etcd etcd installed-community-openshift-operators clusterwide-alpha $ oc get clusterrole | grep etcd etcdbackups.etcd.database.coreos.com-v1beta2-admin 46m etcdbackups.etcd.database.coreos.com-v1beta2-crdview 46m etcdbackups.etcd.database.coreos.com-v1beta2-edit 46m etcdbackups.etcd.database.coreos.com-v1beta2-view 46m etcdclusters.etcd.database.coreos.com-v1beta2-admin 46m etcdclusters.etcd.database.coreos.com-v1beta2-crdview 46m etcdclusters.etcd.database.coreos.com-v1beta2-edit 46m etcdclusters.etcd.database.coreos.com-v1beta2-view 46m etcdoperator.v0.9.4-clusterwide-9rmpt 47m etcdrestores.etcd.database.coreos.com-v1beta2-admin 46m etcdrestores.etcd.database.coreos.com-v1beta2-crdview 46m etcdrestores.etcd.database.coreos.com-v1beta2-edit 46m etcdrestores.etcd.database.coreos.com-v1beta2-view 46m $ oc get clusterrolebinding | grep etcd etcdoperator.v0.9.4-clusterwide-9rmpt-etcd-operator-56b6h 47m $ oc get sa -n openshift-operator etcd-operator 2 48m delete etcd operator $ oc get sub -n openshift-operators No resources found. $ oc get clusterrole | grep etcd etcdbackups.etcd.database.coreos.com-v1beta2-admin 50m etcdbackups.etcd.database.coreos.com-v1beta2-crdview 50m etcdbackups.etcd.database.coreos.com-v1beta2-edit 50m etcdbackups.etcd.database.coreos.com-v1beta2-view 50m etcdclusters.etcd.database.coreos.com-v1beta2-admin 50m etcdclusters.etcd.database.coreos.com-v1beta2-crdview 50m etcdclusters.etcd.database.coreos.com-v1beta2-edit 50m etcdclusters.etcd.database.coreos.com-v1beta2-view 50m etcdoperator.v0.9.4-clusterwide-9rmpt 50m etcdrestores.etcd.database.coreos.com-v1beta2-admin 50m etcdrestores.etcd.database.coreos.com-v1beta2-crdview 50m etcdrestores.etcd.database.coreos.com-v1beta2-edit 50m etcdrestores.etcd.database.coreos.com-v1beta2-view 50m $ oc get clusterrolebinding | grep etcd etcdoperator.v0.9.4-clusterwide-9rmpt-etcd-operator-56b6h 50m $ oc get sa -n openshift-operators NAME SECRETS AG etcd-operator 2 51m $ oc get crd|grep etcd etcdbackups.etcd.database.coreos.com 2019-07-12T02:25:40Z etcdclusters.etcd.database.coreos.com 2019-07-12T02:25:40Z etcdrestores.etcd.database.coreos.com 2019-07-12T02:25:40Z
ClusterRole, ClusterRoleBinding, SA can be deleted by manually through `oc delete` commands.
There are a couple of things here: 1. Cluster scoped objects cannot have ownerreferences, so we can't rely on the mechanisms (kube GC) that we do for other resources. 2. ServiceAccounts do get GC'd, just not clusterroles or clusterrolebindings. In my opinion, #2 lowers the severity. We will have a PR up to fix this soon.
https://github.com/operator-framework/operator-lifecycle-manager/pull/970
I looked into doing this and the queueing code has changed significantly in a way that pulling this backport in would require also pulling in a bunch of new code. Since this is not a critical bug, opting to just leave the code as is.