Merge pull request #1266 from ehearne-redhat/ensure-cvo-use-bespoke-service-account

OCPBUGS-65621: add dedicated service account to crb, cvo and version pod

Author: openshift-merge-bot[bot]

install/0000_00_cluster-version-operator_02_service_account-cluster-version-operator.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cluster-version-operator
+  namespace: openshift-cluster-version
+  annotations:
+    kubernetes.io/description: Dedicated Service Account for the Cluster Version Operator.
+    include.release.openshift.io/self-managed-high-availability: "true"

install/0000_00_cluster-version-operator_02_service_account-update-payload.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: update-payload
+  namespace: openshift-cluster-version
+  annotations:
+    kubernetes.io/description: Dedicated Service Account for the Update Payload.
+    include.release.openshift.io/self-managed-high-availability: "true"

install/0000_00_cluster-version-operator_03_roles-cluster-version-operator.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-version-operator-1
+  annotations:
+    include.release.openshift.io/self-managed-high-availability: "true"
+subjects:
+- kind: ServiceAccount
+  name: cluster-version-operator
+  namespace: openshift-cluster-version
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

…0_cluster-version-operator_02_roles.yaml …r-version-operator_03_roles-default.yamlinstall/0000_00_cluster-version-operator_02_roles.yaml renamed to install/0000_00_cluster-version-operator_03_roles-default.yaml install/0000_00_cluster-version-operator_02_roles.yaml renamed to install/0000_00_cluster-version-operator_03_roles-default.yaml

@@ -3,11 +3,11 @@ kind: ClusterRoleBinding
 metadata:
   name: cluster-version-operator
   annotations:
-    kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core.
     include.release.openshift.io/self-managed-high-availability: "true"
 roleRef:
   kind: ClusterRole
   name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
 subjects:
 - kind: ServiceAccount
   namespace: openshift-cluster-version

…ster-version-operator_03_deployment.yaml …ster-version-operator_30_deployment.yamlinstall/0000_00_cluster-version-operator_03_deployment.yaml renamed to install/0000_00_cluster-version-operator_30_deployment.yaml install/0000_00_cluster-version-operator_03_deployment.yaml renamed to install/0000_00_cluster-version-operator_30_deployment.yaml

@@ -23,6 +23,7 @@ spec:
         k8s-app: cluster-version-operator
     spec:
       automountServiceAccountToken: false
+      serviceAccountName: cluster-version-operator
       containers:
       - name: cluster-version-operator
         image: '{{.ReleaseImage}}'

…cluster-version-operator_04_service.yaml …cluster-version-operator_40_service.yamlinstall/0000_00_cluster-version-operator_04_service.yaml renamed to install/0000_00_cluster-version-operator_40_service.yaml install/0000_00_cluster-version-operator_04_service.yaml renamed to install/0000_00_cluster-version-operator_40_service.yaml

@@ -233,6 +233,7 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri
 			},
 		},
 		Spec: corev1.PodSpec{
+			ServiceAccountName:    "update-payload",
 			ActiveDeadlineSeconds: deadline,
 			InitContainers: []corev1.Container{
 				setContainerDefaults(corev1.Container{

pkg/cvo/updatepayload.go

@@ -29,7 +29,7 @@ func TestRenderManifest(t *testing.T) {
 				ReleaseImage:   "quay.io/cvo/release:latest",
 				ClusterProfile: "some-profile",
 			},
-			manifestFile:         "../../install/0000_00_cluster-version-operator_03_deployment.yaml",
+			manifestFile:         "../../install/0000_00_cluster-version-operator_30_deployment.yaml",
 			expectedManifestFile: "./testdata/TestRenderManifest_expected_cvo_deployment.yaml",
 		},
 	}

pkg/payload/render_test.go

@@ -23,6 +23,7 @@ spec:
         k8s-app: cluster-version-operator
     spec:
       automountServiceAccountToken: false
+      serviceAccountName: cluster-version-operator
       containers:
       - name: cluster-version-operator
         image: 'quay.io/cvo/release:latest'