OCPBUGS-65621: add dedicated service account to crb, cvo and version pod

[ehearne-redhat]

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

[coderabbitai]

Walkthrough

This change restructures the cluster-version-operator's RBAC configuration by introducing dedicated service accounts (cluster-version-operator and update-payload) in place of relying on the default service account, and binding these accounts to the necessary cluster-admin roles. Service account references are added to relevant pod and deployment specifications.

Changes

Cohort / File(s)	Summary
New Service Accounts install/0000_00_cluster-version-operator_02_service_account.yaml	Introduces two new ServiceAccounts: cluster-version-operator and update-payload, both in the openshift-cluster-version namespace with high-availability annotations.
RBAC Binding Restructuring install/0000_00_cluster-version-operator_02_roles.yaml, install/0000_00_cluster-version-operator_03_roles.yaml	Removes the ClusterRoleBinding that granted cluster-admin to the default ServiceAccount; adds three new ClusterRoleBindings granting cluster-admin to cluster-version-operator, update-payload, and default ServiceAccounts.
Service Account Integration bootstrap/bootstrap-pod.yaml, pkg/cvo/updatepayload.go, install/0000_00_cluster-version-operator_04_deployment.yaml, pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml	Updates Pod and Deployment specifications to reference the appropriate service accounts (cluster-version-operator for CVO deployment and bootstrap pod; update-payload for payload retrieval pod).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat
Once this PR has been reviewed and has the lgtm label, please assign wking for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ehearne-redhat]

/retest

[ehearne-redhat]

/test e2e-aws-ovn-upgrade

[ehearne-redhat]

/test e2e-aws-ovn-techpreview

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

WIP - do not merge.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/jira refresh

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/test e2e-aws-ovn-techpreview

[ehearne-redhat]

/test okd-scos-images

[wking]

Redundant vs. the cluster-version-operator you declare down at the end of this file?

[ehearne-redhat]

Actually, this one is interesting. So, in order to get the into-change and out-of-change tests to pass, these two CRBs play different roles.

cluster-version-operator CRB is for the out-of-change test. It looks for this binding so it has the necessary permissions for the default service account to conduct itself.

cluster-version-operator-1 CRB is for the into-change test. This binding ensures the new service account cluster-version-operator has the necessary permissions to conduct itself.

Without cluster-version-operator CRB, the default service account appears to not have the necessary permissions and fail, probably because of the naming of the CRBs. This is important for the out-of-change test to pass.

[wking]

Update-payload Pod doesn't make Kube API calls at all, so I don't think we need this cluster-version-operator-payload ClusterRoleBinding.

[ehearne-redhat]

I've commented it out to test this. If proves true in testing, I'll remove entirely.

[wking]

Can you either add this to the bootstrap manifest too, or have a commit message that mentions why we don't need a service account for that bootstrap manifest?

In that vein, you might want to reshuffle your existing commit stack to try and tell the transformation story in a more narrative arc. It is completely fine to take a bunch of commits, if you need more space to talk about each pivot in a series. But at the moment, there are things like fc55fa5, which sounds like useful context to include in a "why I did things this way..." commit message in a commit that adds the new role-bindings. But I don't see a benefit to keeping it completely separate, vs. having a single commit that brings in the finished roll bindings and then explains all the context you need to explain that finished shape.

[ehearne-redhat]

I've added it to the bootstrap manifest. I'll wait to see how tests behave before squashing the commits into a narrative commit, or a collection of them depending.

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@install/0000_00_cluster-version-operator_03_roles.yaml`‎:
- Around line 31-45: The ClusterRoleBinding manifest is missing the required
roleRef.apiGroup field; update the ClusterRoleBinding (metadata.name:
cluster-version-operator) to add roleRef.apiGroup: rbac.authorization.k8s.io
alongside the existing roleRef.kind: ClusterRole and roleRef.name: cluster-admin
so the roleRef block is valid for Kubernetes RBAC (affecting the
ClusterRoleBinding that grants the ServiceAccount in namespace
openshift-cluster-version name default).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Kubernetes ClusterRoleBinding roleRef apiGroup required schema

💡 Result:

For rbac.authorization.k8s.io/v1 ClusterRoleBinding, roleRef is required, and within it apiGroup, kind, and name are all required fields. roleRef in a ClusterRoleBinding can only reference a ClusterRole, and the roleRef is immutable (can’t be changed after creation). [1], [2]

Minimal schema (YAML shape):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <binding-name>
roleRef:                # required
  apiGroup: rbac.authorization.k8s.io   # required
  kind: ClusterRole                  # required (ClusterRoleBinding -> ClusterRole)
  name: <clusterrole-name>           # required
subjects:
- kind: User|Group|ServiceAccount
  name: <subject-name>
  namespace: <ns>        # only for ServiceAccount
  apiGroup: rbac.authorization.k8s.io  # for User/Group (not used for ServiceAccount)
``` [1], [2]

**Key point:** `roleRef.apiGroup` is not optional—set it to **`rbac.authorization.k8s.io`** for RBAC Role/ClusterRole references. [1], [2]

Sources:  
[1] Kubernetes RBAC reference / ClusterRoleBinding fields (roleRef + required subfields) ([dev-k8sref-io.web.app](https://dev-k8sref-io.web.app/docs/authorization/clusterrolebinding-v1/?utm_source=openai))  
[2] Kubernetes RBAC docs (ClusterRoleBinding example; roleRef immutability) ([v1-32.docs.kubernetes.io](https://v1-32.docs.kubernetes.io/docs/reference/access-authn-authz/rbac/?utm_source=openai))

Citations:

- 1: https://dev-k8sref-io.web.app/docs/authorization/clusterrolebinding-v1/?utm_source=openai
- 2: https://v1-32.docs.kubernetes.io/docs/reference/access-authn-authz/rbac/?utm_source=openai

---



</details>

**Add missing `roleRef.apiGroup` to avoid invalid ClusterRoleBinding.**

The `roleRef` field omits `apiGroup`, which is a required field in the Kubernetes RBAC schema for ClusterRoleBinding. This omission will cause validation failures when the manifest is applied or schema-checked. Set it to `rbac.authorization.k8s.io`.

<details>
<summary>Proposed fix</summary>

```diff
 roleRef:
   kind: ClusterRole
   name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: cluster-version-operator
	annotations:
	kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core.
	include.release.openshift.io/self-managed-high-availability: "true"
	release.openshift.io/delete: "true"
	roleRef:
	kind: ClusterRole
	name: cluster-admin
	subjects:
	- kind: ServiceAccount
	namespace: openshift-cluster-version
	name: default
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRoleBinding
	metadata:
	name: cluster-version-operator
	annotations:
	kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core.
	include.release.openshift.io/self-managed-high-availability: "true"
	release.openshift.io/delete: "true"
	roleRef:
	kind: ClusterRole
	name: cluster-admin
	apiGroup: rbac.authorization.k8s.io
	subjects:
	- kind: ServiceAccount
	namespace: openshift-cluster-version
	name: default

🤖 Prompt for AI Agents

In `@install/0000_00_cluster-version-operator_03_roles.yaml`‎ around lines 31 -
45, The ClusterRoleBinding manifest is missing the required roleRef.apiGroup
field; update the ClusterRoleBinding (metadata.name: cluster-version-operator)
to add roleRef.apiGroup: rbac.authorization.k8s.io alongside the existing
roleRef.kind: ClusterRole and roleRef.name: cluster-admin so the roleRef block
is valid for Kubernetes RBAC (affecting the ClusterRoleBinding that grants the
ServiceAccount in namespace openshift-cluster-version name default).

[openshift-ci]

@ehearne-redhat: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic-ovn-upgrade-into-change	9145861	link	true	/test e2e-agnostic-ovn-upgrade-into-change
ci/prow/unit	9145861	link	true	/test unit
ci/prow/e2e-aws-ovn-techpreview	9145861	link	true	/test e2e-aws-ovn-techpreview
ci/prow/e2e-agnostic-operator	9145861	link	true	/test e2e-agnostic-operator
ci/prow/e2e-hypershift	9145861	link	true	/test e2e-hypershift
ci/prow/e2e-agnostic-ovn-upgrade-out-of-change	9145861	link	true	/test e2e-agnostic-ovn-upgrade-out-of-change
ci/prow/e2e-agnostic-ovn-techpreview-serial	9145861	link	true	/test e2e-agnostic-ovn-techpreview-serial
ci/prow/e2e-agnostic-ovn	9145861	link	true	/test e2e-agnostic-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.