OCPBUGS-65621: add dedicated service account to crb, cvo and version pod

[ehearne-redhat]

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The changes refactor service account configuration for the cluster-version-operator. A ClusterRoleBinding granting cluster-admin to the default service account is removed, replaced by two new named ServiceAccounts (cluster-version-operator and update-payload) with corresponding RBAC bindings. Pod and deployment manifests are updated to reference the new named service accounts.

Changes

Cohort / File(s)	Summary
Service Account Creation install/0000_00_cluster-version-operator_02_service_account.yaml	Adds two new ServiceAccounts: cluster-version-operator and update-payload, both in the openshift-cluster-version namespace with annotations for description and high-availability.
RBAC Configuration install/0000_00_cluster-version-operator_02_roles.yaml, install/0000_90_cluster-version-operator_02_roles.yaml	Removes ClusterRoleBinding granting cluster-admin to default ServiceAccount; introduces two new ClusterRoleBindings binding cluster-admin to cluster-version-operator and default ServiceAccounts with descriptive annotations and lifecycle metadata.
Pod and Deployment Configuration bootstrap/bootstrap-pod.yaml, pkg/cvo/updatepayload.go, pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml	Adds serviceAccountName field assignments to Pod and Deployment specs: bootstrap Pod uses cluster-version-operator, update payload retrieval Pod uses update-payload, cluster-version-operator Deployment uses cluster-version-operator.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat
Once this PR has been reviewed and has the lgtm label, please assign wking for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ehearne-redhat]

/retest

[ehearne-redhat]

/test e2e-aws-ovn-upgrade

[ehearne-redhat]

/test e2e-aws-ovn-techpreview

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

WIP - do not merge.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/jira refresh

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/test e2e-aws-ovn-techpreview

[ehearne-redhat]

/test okd-scos-images

[wking]

Redundant vs. the cluster-version-operator you declare down at the end of this file?

[ehearne-redhat]

Actually, this one is interesting. So, in order to get the into-change and out-of-change tests to pass, these two CRBs play different roles.

cluster-version-operator CRB is for the out-of-change test. It looks for this binding so it has the necessary permissions for the default service account to conduct itself.

cluster-version-operator-1 CRB is for the into-change test. This binding ensures the new service account cluster-version-operator has the necessary permissions to conduct itself.

Without cluster-version-operator CRB, the default service account appears to not have the necessary permissions and fail, probably because of the naming of the CRBs. This is important for the out-of-change test to pass.

[wking]

Update-payload Pod doesn't make Kube API calls at all, so I don't think we need this cluster-version-operator-payload ClusterRoleBinding.

[ehearne-redhat]

I've commented it out to test this. If proves true in testing, I'll remove entirely.

[wking]

Can you either add this to the bootstrap manifest too, or have a commit message that mentions why we don't need a service account for that bootstrap manifest?

In that vein, you might want to reshuffle your existing commit stack to try and tell the transformation story in a more narrative arc. It is completely fine to take a bunch of commits, if you need more space to talk about each pivot in a series. But at the moment, there are things like fc55fa5, which sounds like useful context to include in a "why I did things this way..." commit message in a commit that adds the new role-bindings. But I don't see a benefit to keeping it completely separate, vs. having a single commit that brings in the finished roll bindings and then explains all the context you need to explain that finished shape.

[ehearne-redhat]

I've added it to the bootstrap manifest. I'll wait to see how tests behave before squashing the commits into a narrative commit, or a collection of them depending.

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@install/0000_00_cluster-version-operator_03_roles.yaml`‎:
- Around line 31-45: The ClusterRoleBinding manifest is missing the required
roleRef.apiGroup field; update the ClusterRoleBinding (metadata.name:
cluster-version-operator) to add roleRef.apiGroup: rbac.authorization.k8s.io
alongside the existing roleRef.kind: ClusterRole and roleRef.name: cluster-admin
so the roleRef block is valid for Kubernetes RBAC (affecting the
ClusterRoleBinding that grants the ServiceAccount in namespace
openshift-cluster-version name default).

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@install/0000_90_cluster-version-operator_02_roles.yaml`‎:
- Around line 16-30: Uncomment and enable the ClusterRoleBinding for the
update-payload ServiceAccount (ClusterRoleBinding named
cluster-version-operator-payload) or replace it with a least-privileged binding:
restore the commented block that binds subject kind: ServiceAccount name:
update-payload namespace: openshift-cluster-version to roleRef kind: ClusterRole
name: cluster-admin (or create a new ClusterRole/Role with minimal permissions
and reference it instead), ensure the metadata annotation
include.release.openshift.io/self-managed-high-availability remains if required,
and verify there are no duplicate bindings elsewhere for update-payload.
- Around line 31-46: Remove the legacy ClusterRoleBinding that grants
cluster-admin to the default ServiceAccount: delete the ClusterRoleBinding
resource with metadata.name "cluster-version-operator" that has roleRef.kind
"ClusterRole"/name "cluster-admin" and subjects binding kind "ServiceAccount"
name "default" in namespace "openshift-cluster-version" (the block currently
annotated with release.openshift.io/delete: "true"); this proactively cleans up
the legacy artifact since the deployment uses the dedicated
cluster-version-operator ServiceAccount and its proper binding.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Enable RBAC binding for the update-payload ServiceAccount.

This block is commented out (Line 16-30), so the update-payload SA has no ClusterRoleBinding here, which conflicts with the PR objective of a dedicated SA for version pods. If the payload pod needs cluster-level access, this will break. Please confirm intent and enable (or replace with least-privileged RBAC).

🛠️ Proposed fix (uncomment the binding)

-# apiVersion: rbac.authorization.k8s.io/v1
-# kind: ClusterRoleBinding
-# metadata:
-#   name: cluster-version-operator-payload
-#   annotations:
-#     include.release.openshift.io/self-managed-high-availability: "true"
-# subjects:
-# - kind: ServiceAccount
-#   name: update-payload
-#   namespace: openshift-cluster-version
-# roleRef:
-#   kind: ClusterRole
-#   name: cluster-admin
-#   apiGroup: rbac.authorization.k8s.io
-# ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-version-operator-payload
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+subjects:
+- kind: ServiceAccount
+  name: update-payload
+  namespace: openshift-cluster-version
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+---

If you want to verify whether another binding already exists, you can run:

#!/bin/bash
# Look for any RBAC bindings referencing update-payload
rg -n -C2 'update-payload' -g '*.yaml'
rg -n -C2 'cluster-version-operator-payload' -g '*.yaml'

🤖 Prompt for AI Agents

In `@install/0000_90_cluster-version-operator_02_roles.yaml`‎ around lines 16 -
30, Uncomment and enable the ClusterRoleBinding for the update-payload
ServiceAccount (ClusterRoleBinding named cluster-version-operator-payload) or
replace it with a least-privileged binding: restore the commented block that
binds subject kind: ServiceAccount name: update-payload namespace:
openshift-cluster-version to roleRef kind: ClusterRole name: cluster-admin (or
create a new ClusterRole/Role with minimal permissions and reference it
instead), ensure the metadata annotation
include.release.openshift.io/self-managed-high-availability remains if required,
and verify there are no duplicate bindings elsewhere for update-payload.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Find the file mentioned in the review
find . -name "*cluster-version-operator*" -type f | head -20

Repository: openshift/cluster-version-operator

Length of output: 376

---

🏁 Script executed:

# List files in the install directory to understand structure
ls -la install/ 2>/dev/null | head -30

Repository: openshift/cluster-version-operator

Length of output: 1614

---

🏁 Script executed:

# Check if the exact file exists
cat -n install/0000_90_cluster-version-operator_02_roles.yaml 2>/dev/null | head -60

Repository: openshift/cluster-version-operator

Length of output: 1775

---

🏁 Script executed:

# Check if there are ServiceAccount definitions in the directory
grep -r "kind: ServiceAccount" install/ | head -10

Repository: openshift/cluster-version-operator

Length of output: 579

---

🏁 Script executed:

# Look for other references to "default" ServiceAccount in cluster-version context
rg "default" install/ -A2 -B2 | head -40

Repository: openshift/cluster-version-operator

Length of output: 1759

---

🏁 Script executed:

# Check git history or comments to understand the intent
head -5 install/0000_90_cluster-version-operator_02_roles.yaml

Repository: openshift/cluster-version-operator

Length of output: 203

---

🏁 Script executed:

# Check the service account definitions to understand which is actually used
cat -n install/0000_00_cluster-version-operator_02_service_account.yaml

Repository: openshift/cluster-version-operator

Length of output: 772

---

🏁 Script executed:

# Check deployment to see which ServiceAccount it uses
grep -A5 -B5 "serviceAccountName\|serviceAccount:" install/0000_00_cluster-version-operator_03_deployment.yaml

Repository: openshift/cluster-version-operator

Length of output: 426

---

The default ServiceAccount binding is already marked for deletion.

This binding (lines 31–46) does grant cluster-admin to the default SA, but the release.openshift.io/delete: "true" annotation marks it as a legacy artifact scheduled for deletion during cluster upgrades. The actual deployment uses the dedicated cluster-version-operator ServiceAccount (see deployment.yaml and the proper binding at lines 1–14), so this is not an active security issue. If you want to clean up the legacy binding proactively, removing it is safe, but it's not a security regression since automated deletion markers are in place.

🤖 Prompt for AI Agents

In `@install/0000_90_cluster-version-operator_02_roles.yaml`‎ around lines 31 -
46, Remove the legacy ClusterRoleBinding that grants cluster-admin to the
default ServiceAccount: delete the ClusterRoleBinding resource with
metadata.name "cluster-version-operator" that has roleRef.kind
"ClusterRole"/name "cluster-admin" and subjects binding kind "ServiceAccount"
name "default" in namespace "openshift-cluster-version" (the block currently
annotated with release.openshift.io/delete: "true"); this proactively cleans up
the legacy artifact since the deployment uses the dedicated
cluster-version-operator ServiceAccount and its proper binding.

[ehearne-redhat]

/retest

[openshift-ci]

@ehearne-redhat: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic-ovn-upgrade-into-change	e530cee	link	true	/test e2e-agnostic-ovn-upgrade-into-change
ci/prow/e2e-agnostic-ovn	e530cee	link	true	/test e2e-agnostic-ovn
ci/prow/e2e-agnostic-operator	e530cee	link	true	/test e2e-agnostic-operator
ci/prow/e2e-aws-ovn-techpreview	e530cee	link	true	/test e2e-aws-ovn-techpreview
ci/prow/e2e-agnostic-ovn-upgrade-out-of-change	e530cee	link	true	/test e2e-agnostic-ovn-upgrade-out-of-change
ci/prow/e2e-agnostic-ovn-techpreview-serial	e530cee	link	true	/test e2e-agnostic-ovn-techpreview-serial

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.