OCPBUGS-65621: add dedicated service account to crb, cvo and version pod

[ehearne-redhat]

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

[coderabbitai]

Walkthrough

This PR refactors service account configuration for cluster-version-operator and update-payload components by introducing dedicated ServiceAccounts with explicit RBAC bindings, removing the existing default ServiceAccount cluster-admin binding, and updating manifests and code to reference the new service accounts.

Changes

Cohort / File(s)	Summary
Service Account Definitions install/0000_00_cluster-version-operator_02_service_account.yaml	Introduces two new ServiceAccounts: cluster-version-operator and update-payload, both annotated with descriptions and self-managed-high-availability flags in the openshift-cluster-version namespace.
RBAC Configuration install/0000_00_cluster-version-operator_02_roles.yaml, install/0000_90_cluster-version-operator_02_roles.yaml	Removes default ServiceAccount cluster-admin binding; adds two ClusterRoleBindings granting cluster-admin role to cluster-version-operator and default ServiceAccount.
Pod and Deployment Manifests bootstrap/bootstrap-pod.yaml, install/0000_00_cluster-version-operator_03_deployment.yaml	Adds explicit serviceAccountName field referencing the cluster-version-operator service account in Pod and Deployment specs.
Code Updates pkg/cvo/updatepayload.go	Specifies update-payload service account name in the payload retrieval pod specification.
Test Data pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml	Updates expected test manifest to include serviceAccountName field in the rendered deployment specification.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Important

Action Needed: IP Allowlist Update

If your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:

• ✨ 136.113.208.247/32 (new)
• 34.170.211.100/32
• 35.222.179.152/32

Reviews will stop working after February 8, 2026 if the new IP is not added to your allowlist.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat
Once this PR has been reviewed and has the lgtm label, please assign wking for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ehearne-redhat]

/retest

[ehearne-redhat]

/test e2e-aws-ovn-upgrade

[ehearne-redhat]

/test e2e-aws-ovn-techpreview

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

WIP - do not merge.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/jira refresh

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65621, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @dis016

Details

In response to this:

What

• Add dedicated service account to CVO and version pods in openshift-cluster-version namespace.
• Add cluster role binding and attach dedicated service account to it.

Why

• Default service account should not be used on OpenShift components.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/test e2e-aws-ovn-techpreview

[ehearne-redhat]

/test okd-scos-images

[wking]

Redundant vs. the cluster-version-operator you declare down at the end of this file?

[ehearne-redhat]

Actually, this one is interesting. So, in order to get the into-change and out-of-change tests to pass, these two CRBs play different roles.

cluster-version-operator CRB is for the out-of-change test. It looks for this binding so it has the necessary permissions for the default service account to conduct itself.

cluster-version-operator-1 CRB is for the into-change test. This binding ensures the new service account cluster-version-operator has the necessary permissions to conduct itself.

Without cluster-version-operator CRB, the default service account appears to not have the necessary permissions and fail, probably because of the naming of the CRBs. This is important for the out-of-change test to pass.

[wking]

Update-payload Pod doesn't make Kube API calls at all, so I don't think we need this cluster-version-operator-payload ClusterRoleBinding.

[ehearne-redhat]

I've commented it out to test this. If proves true in testing, I'll remove entirely.

[wking]

Can you either add this to the bootstrap manifest too, or have a commit message that mentions why we don't need a service account for that bootstrap manifest?

In that vein, you might want to reshuffle your existing commit stack to try and tell the transformation story in a more narrative arc. It is completely fine to take a bunch of commits, if you need more space to talk about each pivot in a series. But at the moment, there are things like fc55fa5, which sounds like useful context to include in a "why I did things this way..." commit message in a commit that adds the new role-bindings. But I don't see a benefit to keeping it completely separate, vs. having a single commit that brings in the finished roll bindings and then explains all the context you need to explain that finished shape.

[ehearne-redhat]

I've added it to the bootstrap manifest. I'll wait to see how tests behave before squashing the commits into a narrative commit, or a collection of them depending.

[ehearne-redhat]

/retest

[openshift-ci]

@ehearne-redhat: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic-ovn-upgrade-into-change	63774e1	link	true	/test e2e-agnostic-ovn-upgrade-into-change
ci/prow/e2e-agnostic-ovn	63774e1	link	true	/test e2e-agnostic-ovn
ci/prow/e2e-agnostic-ovn-upgrade-out-of-change	63774e1	link	true	/test e2e-agnostic-ovn-upgrade-out-of-change
ci/prow/e2e-agnostic-operator	63774e1	link	true	/test e2e-agnostic-operator
ci/prow/e2e-hypershift	63774e1	link	true	/test e2e-hypershift
ci/prow/e2e-aws-ovn-techpreview	63774e1	link	true	/test e2e-aws-ovn-techpreview
ci/prow/e2e-agnostic-ovn-techpreview-serial	63774e1	link	true	/test e2e-agnostic-ovn-techpreview-serial

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.