OCPBUGS-65621: add dedicated service account to crb, cvo and version pod

[ehearne-redhat]

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

 _________________________________________
< 💣 Deploying bug fixes in 3... 2... 1... >
 -----------------------------------------
  \
   \   \
        \ /\
        ( )
      .( o ).

_{✏️ Tip: You can disable in-progress messages and the fortune message in your review settings.}

Tip

You can disable the changed files summary in the walkthrough.

Disable the reviews.changed_files_summary setting to disable the changed files summary in the walkthrough.

Walkthrough

This change restructures the cluster-version-operator's RBAC configuration by introducing dedicated service accounts (cluster-version-operator and update-payload) in place of relying on the default service account, and binding these accounts to the necessary cluster-admin roles. Service account references are added to relevant pod and deployment specifications.

Changes

Cohort / File(s)	Summary
New Service Accounts install/0000_00_cluster-version-operator_02_service_account.yaml	Introduces two new ServiceAccounts: cluster-version-operator and update-payload, both in the openshift-cluster-version namespace with high-availability annotations.
RBAC Binding Restructuring install/0000_00_cluster-version-operator_02_roles.yaml, install/0000_00_cluster-version-operator_03_roles.yaml	Removes the ClusterRoleBinding that granted cluster-admin to the default ServiceAccount; adds three new ClusterRoleBindings granting cluster-admin to cluster-version-operator, update-payload, and default ServiceAccounts.
Service Account Integration bootstrap/bootstrap-pod.yaml, pkg/cvo/updatepayload.go, install/0000_00_cluster-version-operator_04_deployment.yaml, pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml	Updates Pod and Deployment specifications to reference the appropriate service accounts (cluster-version-operator for CVO deployment and bootstrap pod; update-payload for payload retrieval pod).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat
Once this PR has been reviewed and has the lgtm label, please assign wking for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ehearne-redhat]

/retest

[ehearne-redhat]

/test e2e-aws-ovn-upgrade

[ehearne-redhat]

/test e2e-aws-ovn-techpreview

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

WIP - do not merge.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/jira refresh

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/test e2e-aws-ovn-techpreview

[ehearne-redhat]

/test okd-scos-images

[wking]

Redundant vs. the cluster-version-operator you declare down at the end of this file?

[ehearne-redhat]

Actually, this one is interesting. So, in order to get the into-change and out-of-change tests to pass, these two CRBs play different roles.

cluster-version-operator CRB is for the out-of-change test. It looks for this binding so it has the necessary permissions for the default service account to conduct itself.

cluster-version-operator-1 CRB is for the into-change test. This binding ensures the new service account cluster-version-operator has the necessary permissions to conduct itself.

Without cluster-version-operator CRB, the default service account appears to not have the necessary permissions and fail, probably because of the naming of the CRBs. This is important for the out-of-change test to pass.

[wking]

Update-payload Pod doesn't make Kube API calls at all, so I don't think we need this cluster-version-operator-payload ClusterRoleBinding.

[ehearne-redhat]

I've commented it out to test this. If proves true in testing, I'll remove entirely.

[wking]

Can you either add this to the bootstrap manifest too, or have a commit message that mentions why we don't need a service account for that bootstrap manifest?

In that vein, you might want to reshuffle your existing commit stack to try and tell the transformation story in a more narrative arc. It is completely fine to take a bunch of commits, if you need more space to talk about each pivot in a series. But at the moment, there are things like fc55fa5, which sounds like useful context to include in a "why I did things this way..." commit message in a commit that adds the new role-bindings. But I don't see a benefit to keeping it completely separate, vs. having a single commit that brings in the finished roll bindings and then explains all the context you need to explain that finished shape.

[ehearne-redhat]

I've added it to the bootstrap manifest. I'll wait to see how tests behave before squashing the commits into a narrative commit, or a collection of them depending.

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@install/0000_00_cluster-version-operator_03_roles.yaml`‎:
- Around line 31-45: The ClusterRoleBinding manifest is missing the required
roleRef.apiGroup field; update the ClusterRoleBinding (metadata.name:
cluster-version-operator) to add roleRef.apiGroup: rbac.authorization.k8s.io
alongside the existing roleRef.kind: ClusterRole and roleRef.name: cluster-admin
so the roleRef block is valid for Kubernetes RBAC (affecting the
ClusterRoleBinding that grants the ServiceAccount in namespace
openshift-cluster-version name default).

[openshift-ci]

@ehearne-redhat: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic-operator	63774e1	link	true	/test e2e-agnostic-operator
ci/prow/e2e-agnostic-ovn-techpreview-serial	63774e1	link	true	/test e2e-agnostic-ovn-techpreview-serial
ci/prow/e2e-agnostic-ovn-upgrade-out-of-change	63774e1	link	true	/test e2e-agnostic-ovn-upgrade-out-of-change
ci/prow/e2e-aws-ovn-techpreview	63774e1	link	true	/test e2e-aws-ovn-techpreview
ci/prow/okd-scos-images	63774e1	link	true	/test okd-scos-images
ci/prow/e2e-hypershift	63774e1	link	true	/test e2e-hypershift
ci/prow/e2e-agnostic-ovn	63774e1	link	true	/test e2e-agnostic-ovn
ci/prow/e2e-agnostic-ovn-upgrade-into-change	63774e1	link	true	/test e2e-agnostic-ovn-upgrade-into-change

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.