Skip to content

OCPBUGS-65621: add dedicated service account to crb, cvo and version pod #1266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ehearne-redhat wants to merge 24 commits into
base: main
Choose a base branch
from
+66 −14
Open

OCPBUGS-65621: add dedicated service account to crb, cvo and version pod #1266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
bf44d47
add dedicated service account to crb, cvo and version pod
ehearne-redhat Nov 28, 2025
29bce17
add new line to keep linter happy
ehearne-redhat Nov 28, 2025
2982ece
add sa to testrendermanifest
ehearne-redhat Nov 28, 2025
ca25977
add dedicated sa for update payload
ehearne-redhat Nov 28, 2025
825ac61
add cluster-admin clusterrole
ehearne-redhat Nov 29, 2025
446f19b
remove cluster-admin role from file
ehearne-redhat Nov 30, 2025
bb1602f
add new cluster role with watch feature gate
ehearne-redhat Dec 1, 2025
d7e4cd0
re-add cluster-admin
ehearne-redhat Dec 1, 2025
5641681
rename roles to ensure service account is added first
ehearne-redhat Dec 3, 2025
5fe9198
rename cvo-dedicated-sa to cluster-version-operator
ehearne-redhat Dec 3, 2025
6310c45
add default sa crb back to test into and out of change test failures
ehearne-redhat Dec 4, 2025
b39df2b
add back featuregate read role + remove default crb
ehearne-redhat Dec 4, 2025
7d69c50
add new reader permissions
ehearne-redhat Dec 5, 2025
0c875cc
add leases role and role binding
ehearne-redhat Dec 5, 2025
7b05705
move roles back to 02 but ZZ to ensure applied last step of 02
ehearne-redhat Dec 11, 2025
31c2b46
add annotations to ensure inclusion
ehearne-redhat Dec 12, 2025
9002190
add scc privilege to cluster-version-operator service account
ehearne-redhat Dec 12, 2025
38530cd
add missing annotations
ehearne-redhat Dec 15, 2025
a575e1c
allow cluster-version-operator service account to use hostaccess scc
ehearne-redhat Dec 16, 2025
fc55fa5
simplify role bindings to resolve scc test failure
ehearne-redhat Dec 17, 2025
7be8122
ensure different names for crbs
ehearne-redhat Jan 6, 2026
d677a46
add cvo service account to bootstrap pod
ehearne-redhat Feb 4, 2026
6e3595e
change update-payload sa name
ehearne-redhat Feb 4, 2026
63774e1
move role to lower runlevel
ehearne-redhat Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions bootstrap/bootstrap-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ metadata:
labels:
k8s-app: cluster-version-operator
spec:
serviceAccountName: cluster-version-operator
containers:
- name: cluster-version-operator
image: {{.ReleaseImage}}
Expand Down
14 changes: 0 additions & 14 deletions install/0000_00_cluster-version-operator_02_roles.yaml
View file
Open in desktop

This file was deleted.

17 changes: 17 additions & 0 deletions install/0000_00_cluster-version-operator_02_service_account.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-version-operator
namespace: openshift-cluster-version
annotations:
kubernetes.io/description: Dedicated Service Account for the Cluster Version Operator.
include.release.openshift.io/self-managed-high-availability: "true"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: update-payload
namespace: openshift-cluster-version
annotations:
kubernetes.io/description: Dedicated Service Account for the Update Payload.
include.release.openshift.io/self-managed-high-availability: "true"
1 change: 1 addition & 0 deletions install/0000_00_cluster-version-operator_03_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ spec:
k8s-app: cluster-version-operator
spec:
automountServiceAccountToken: false
serviceAccountName: cluster-version-operator
Copy link
Member

@wking wking Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you either add this to the bootstrap manifest too, or have a commit message that mentions why we don't need a service account for that bootstrap manifest?

In that vein, you might want to reshuffle your existing commit stack to try and tell the transformation story in a more narrative arc. It is completely fine to take a bunch of commits, if you need more space to talk about each pivot in a series. But at the moment, there are things like fc55fa5, which sounds like useful context to include in a "why I did things this way..." commit message in a commit that adds the new role-bindings. But I don't see a benefit to keeping it completely separate, vs. having a single commit that brings in the finished roll bindings and then explains all the context you need to explain that finished shape.

Copy link
Author

@ehearne-redhat ehearne-redhat Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added it to the bootstrap manifest. I'll wait to see how tests behave before squashing the commits into a narrative commit, or a collection of them depending.

containers:
- name: cluster-version-operator
image: '{{.ReleaseImage}}'
Expand Down
45 changes: 45 additions & 0 deletions install/0000_90_cluster-version-operator_02_roles.yaml‎
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-version-operator-1
annotations:
include.release.openshift.io/self-managed-high-availability: "true"
subjects:
- kind: ServiceAccount
name: cluster-version-operator
namespace: openshift-cluster-version
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
# apiVersion: rbac.authorization.k8s.io/v1
# kind: ClusterRoleBinding
# metadata:
# name: cluster-version-operator-payload
# annotations:
# include.release.openshift.io/self-managed-high-availability: "true"
# subjects:
# - kind: ServiceAccount
# name: update-payload
# namespace: openshift-cluster-version
# roleRef:
# kind: ClusterRole
# name: cluster-admin
# apiGroup: rbac.authorization.k8s.io
# ---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-version-operator
annotations:
kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core.
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/delete: "true"
roleRef:
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
namespace: openshift-cluster-version
name: default
Comment on lines +31 to +45
Copy link

@coderabbitai coderabbitai bot Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Kubernetes ClusterRoleBinding roleRef apiGroup required schema

💡 Result:

For rbac.authorization.k8s.io/v1 ClusterRoleBinding, roleRef is required, and within it apiGroup, kind, and name are all required fields. roleRef in a ClusterRoleBinding can only reference a ClusterRole, and the roleRef is immutable (can’t be changed after creation). [1], [2]

Minimal schema (YAML shape):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <binding-name>
roleRef:                # required
  apiGroup: rbac.authorization.k8s.io   # required
  kind: ClusterRole                  # required (ClusterRoleBinding -> ClusterRole)
  name: <clusterrole-name>           # required
subjects:
- kind: User|Group|ServiceAccount
  name: <subject-name>
  namespace: <ns>        # only for ServiceAccount
  apiGroup: rbac.authorization.k8s.io  # for User/Group (not used for ServiceAccount)
``` [1], [2]

**Key point:** `roleRef.apiGroup` is not optional—set it to **`rbac.authorization.k8s.io`** for RBAC Role/ClusterRole references. [1], [2]

Sources:  
[1] Kubernetes RBAC reference / ClusterRoleBinding fields (roleRef + required subfields) ([dev-k8sref-io.web.app](https://dev-k8sref-io.web.app/docs/authorization/clusterrolebinding-v1/?utm_source=openai))  
[2] Kubernetes RBAC docs (ClusterRoleBinding example; roleRef immutability) ([v1-32.docs.kubernetes.io](https://v1-32.docs.kubernetes.io/docs/reference/access-authn-authz/rbac/?utm_source=openai))

Citations:

- 1: https://dev-k8sref-io.web.app/docs/authorization/clusterrolebinding-v1/?utm_source=openai
- 2: https://v1-32.docs.kubernetes.io/docs/reference/access-authn-authz/rbac/?utm_source=openai

---



</details>

**Add missing `roleRef.apiGroup` to avoid invalid ClusterRoleBinding.**

The `roleRef` field omits `apiGroup`, which is a required field in the Kubernetes RBAC schema for ClusterRoleBinding. This omission will cause validation failures when the manifest is applied or schema-checked. Set it to `rbac.authorization.k8s.io`.

<details>
<summary>Proposed fix</summary>

```diff
 roleRef:
   kind: ClusterRole
   name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-version-operator
annotations:
kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core.
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/delete: "true"
roleRef:
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
namespace: openshift-cluster-version
name: default
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-version-operator
annotations:
kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core.
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/delete: "true"
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
namespace: openshift-cluster-version
name: default
🤖 Prompt for AI Agents 
In `@install/0000_00_cluster-version-operator_03_roles.yaml`‎ around lines 31 -
45, The ClusterRoleBinding manifest is missing the required roleRef.apiGroup
field; update the ClusterRoleBinding (metadata.name: cluster-version-operator)
to add roleRef.apiGroup: rbac.authorization.k8s.io alongside the existing
roleRef.kind: ClusterRole and roleRef.name: cluster-admin so the roleRef block
is valid for Kubernetes RBAC (affecting the ClusterRoleBinding that grants the
ServiceAccount in namespace openshift-cluster-version name default).

1 change: 1 addition & 0 deletions pkg/cvo/updatepayload.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,7 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri
},
},
Spec: corev1.PodSpec{
ServiceAccountName: "update-payload",
ActiveDeadlineSeconds: deadline,
InitContainers: []corev1.Container{
setContainerDefaults(corev1.Container{
Expand Down
1 change: 1 addition & 0 deletions pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ spec:
k8s-app: cluster-version-operator
spec:
automountServiceAccountToken: false
serviceAccountName: cluster-version-operator
containers:
- name: cluster-version-operator
image: 'quay.io/cvo/release:latest'
Expand Down