OCPBUGS-65621: add dedicated service account to crb, cvo and version pod

[ehearne-redhat]

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

The changes refactor service account configuration for the cluster-version-operator. A ClusterRoleBinding granting cluster-admin to the default service account is removed, replaced by two new named ServiceAccounts (cluster-version-operator and update-payload) with corresponding RBAC bindings. Pod and deployment manifests are updated to reference the new named service accounts.

Changes

Cohort / File(s)	Summary
Service Account Creation install/0000_00_cluster-version-operator_02_service_account.yaml	Adds two new ServiceAccounts: cluster-version-operator and update-payload, both in the openshift-cluster-version namespace with annotations for description and high-availability.
RBAC Configuration install/0000_00_cluster-version-operator_02_roles.yaml, install/0000_90_cluster-version-operator_02_roles.yaml	Removes ClusterRoleBinding granting cluster-admin to default ServiceAccount; introduces two new ClusterRoleBindings binding cluster-admin to cluster-version-operator and default ServiceAccounts with descriptive annotations and lifecycle metadata.
Pod and Deployment Configuration bootstrap/bootstrap-pod.yaml, pkg/cvo/updatepayload.go, pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml	Adds serviceAccountName field assignments to Pod and Deployment specs: bootstrap Pod uses cluster-version-operator, update payload retrieval Pod uses update-payload, cluster-version-operator Deployment uses cluster-version-operator.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat
Once this PR has been reviewed and has the lgtm label, please assign wking for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ehearne-redhat]

/retest

[ehearne-redhat]

/test e2e-aws-ovn-upgrade

[ehearne-redhat]

/test e2e-aws-ovn-techpreview

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

WIP - do not merge.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/jira refresh

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/test e2e-hypershift

[ehearne-redhat]

Will address failing tests tomorrow.

[ehearne-redhat]

/retest