OCPBUGS-65621: add dedicated service account to crb, cvo and version pod#1266
OCPBUGS-65621: add dedicated service account to crb, cvo and version pod#1266ehearne-redhat wants to merge 1 commit intoopenshift:mainfrom
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThe changes refactor service account configuration for the cluster-version-operator. A ClusterRoleBinding granting cluster-admin to the default service account is removed, replaced by two new named ServiceAccounts (cluster-version-operator and update-payload) with corresponding RBAC bindings. Pod and deployment manifests are updated to reference the new named service accounts. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes ✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ehearne-redhat The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/retest |
|
/test e2e-aws-ovn-upgrade |
|
/test e2e-aws-ovn-techpreview |
|
/retest |
|
/retest |
ehearne-redhat
changed the title
openshift-ci-robot
added
jira/severity-critical
|
@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
install/0000_00_cluster-version-operator_02_service_account.yaml
Outdated
Show resolved
Hide resolved
install/0000_00_cluster-version-operator_02_service_account-cluster-version-operator.yaml
Show resolved
Hide resolved
|
/test e2e-hypershift |
|
Will address failing tests tomorrow. |
|
/retest |
| namespace: openshift-cluster-version | ||
| roleRef: | ||
| kind: ClusterRole | ||
| name: cluster-admin |
There was a problem hiding this comment.
Update-payload Pod doesn't make Kube API calls at all, so I don't think we need this cluster-version-operator-payload ClusterRoleBinding.
There was a problem hiding this comment.
I've commented it out to test this. If proves true in testing, I'll remove entirely.
| k8s-app: cluster-version-operator | ||
| spec: | ||
| automountServiceAccountToken: false | ||
| serviceAccountName: cluster-version-operator |
There was a problem hiding this comment.
Can you either add this to the bootstrap manifest too, or have a commit message that mentions why we don't need a service account for that bootstrap manifest?
In that vein, you might want to reshuffle your existing commit stack to try and tell the transformation story in a more narrative arc. It is completely fine to take a bunch of commits, if you need more space to talk about each pivot in a series. But at the moment, there are things like fc55fa5, which sounds like useful context to include in a "why I did things this way..." commit message in a commit that adds the new role-bindings. But I don't see a benefit to keeping it completely separate, vs. having a single commit that brings in the finished roll bindings and then explains all the context you need to explain that finished shape.
There was a problem hiding this comment.
I've added it to the bootstrap manifest. I'll wait to see how tests behave before squashing the commits into a narrative commit, or a collection of them depending.
|
/retest |
1 similar comment
|
/retest |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@install/0000_00_cluster-version-operator_03_roles.yaml`:
- Around line 31-45: The ClusterRoleBinding manifest is missing the required
roleRef.apiGroup field; update the ClusterRoleBinding (metadata.name:
cluster-version-operator) to add roleRef.apiGroup: rbac.authorization.k8s.io
alongside the existing roleRef.kind: ClusterRole and roleRef.name: cluster-admin
so the roleRef block is valid for Kubernetes RBAC (affecting the
ClusterRoleBinding that grants the ServiceAccount in namespace
openshift-cluster-version name default).
a1352a4 to
aca5426
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In `@install/0000_90_cluster-version-operator_02_roles.yaml`:
- Around line 16-30: Uncomment and enable the ClusterRoleBinding for the
update-payload ServiceAccount (ClusterRoleBinding named
cluster-version-operator-payload) or replace it with a least-privileged binding:
restore the commented block that binds subject kind: ServiceAccount name:
update-payload namespace: openshift-cluster-version to roleRef kind: ClusterRole
name: cluster-admin (or create a new ClusterRole/Role with minimal permissions
and reference it instead), ensure the metadata annotation
include.release.openshift.io/self-managed-high-availability remains if required,
and verify there are no duplicate bindings elsewhere for update-payload.
- Around line 31-46: Remove the legacy ClusterRoleBinding that grants
cluster-admin to the default ServiceAccount: delete the ClusterRoleBinding
resource with metadata.name "cluster-version-operator" that has roleRef.kind
"ClusterRole"/name "cluster-admin" and subjects binding kind "ServiceAccount"
name "default" in namespace "openshift-cluster-version" (the block currently
annotated with release.openshift.io/delete: "true"); this proactively cleans up
the legacy artifact since the deployment uses the dedicated
cluster-version-operator ServiceAccount and its proper binding.
|
/retest |
ehearne-redhat
force-pushed
the
ensure-cvo-use-bespoke-service-account
branch
from
aca5426 to
0b2dc38
Compare
| roleRef: | ||
| kind: ClusterRole | ||
| name: cluster-admin | ||
| apiGroup: rbac.authorization.k8s.io |
There was a problem hiding this comment.
nit: with release.openshift.io/delete: "true", there is no need to add this new line here, but it doesn't hurt
openshift-merge-robot
added
the
needs-rebase
ehearne-redhat
force-pushed
the
ensure-cvo-use-bespoke-service-account
branch
from
59f3ec1 to
2096b59
Compare
openshift-merge-robot
removed
the
needs-rebase
ehearne-redhat
force-pushed
the
ensure-cvo-use-bespoke-service-account
branch
from
2096b59 to
7116437
Compare
openshift-merge-robot
added
needs-rebase
ehearne-redhat
force-pushed
the
ensure-cvo-use-bespoke-service-account
branch
from
c343817 to
bac51f9
Compare
openshift-merge-robot
added
the
needs-rebase
ehearne-redhat
force-pushed
the
ensure-cvo-use-bespoke-service-account
branch
from
0d0ad1e to
ed40ba5
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/test unit |
|
/retest |
|
@wking so I have all tests passing now, besides the broken
I'm going to clean up the commit history now to reflect all the changes + justifications in the commit description. I will re-ping once that's done for review. :) |
… , and update-payload- pods This change adds a dedicated service account to the pods mentioned above. The ClusterRoleBinding `cluster-version-operator-1` bind the necessary `cluster-admin` ClusterRole to the `cluster-version-operator` ServiceAccount. The ClusterRoleBinding `cluster-version-operator` is still required for e2e-agnostic-ovn-upgrade-out-of-change test to pass, as the `default` ServiceAccount is still in use here. I suspect we can remove this role binding once this PR merges. update-payload pod just needs its own service account, no additional permissions required. TestRenderManifestDeployment_expected_cvo_deployment.yaml has a bespoke service account added to match the CVO Deployment, so that the tests pass for this change.
ehearne-redhat
force-pushed
the
ensure-cvo-use-bespoke-service-account
branch
from
7af5fe9 to
ab5b6a0
Compare
|
@ehearne-redhat: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
6 participants
What
openshift-cluster-versionnamespace.Why