OCPBUGS-78538: fix default service account

[neha037]

Summary by CodeRabbit

• Chores

  • Default ServiceAccount changed from "default" to "must-gather-admin"
  • CRD/schema updated to reflect new default and require a non-empty ServiceAccount name
  • Added admission validation to deny unauthorized ServiceAccount references and supporting RBAC test manifests

• Tests

  • Updated unit tests for the new default
  • Added E2E tests for API-server defaulting, Job usage of must-gather-admin, authorization failures, and empty-string validation

[openshift-ci-robot]

@neha037: This pull request references Jira Issue OCPBUGS-78538, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Default for MustGather.spec.serviceAccountName changed from "default" to "must-gather-admin"; a MinLength=1 validation was added to the CRD; controller defaults and tests updated; new ValidatingAdmissionPolicy and Binding plus e2e testdata/fixtures enforce and exercise ServiceAccount "use" authorization.

Changes

Cohort / File(s)	Summary
API Type api/v1alpha1/mustgather_types.go	Changed kubebuilder default for MustGatherSpec.ServiceAccountName to must-gather-admin and added +kubebuilder:validation:MinLength=1.
CRD Manifests bundle/manifests/tech-preview/operator.openshift.io_mustgathers.yaml, deploy/crds/operator.openshift.io_mustgathers.yaml	Updated OpenAPI schema default and description to must-gather-admin and added minLength: 1.
Controller controllers/mustgather/mustgather_controller.go	Changed the default ServiceAccount used in validation/logging to must-gather-admin; existence checks and error handling unchanged.
Unit Tests controllers/mustgather/mustgather_controller_test.go, controllers/mustgather/template_test.go	Updated fixtures, helpers, and assertions to reference must-gather-admin instead of default.
E2E Tests & Testdata test/e2e/must_gather_operator_test.go, test/e2e/testdata/*must-gather-admin*.yaml, test/e2e/testdata/nonadmin-use-serviceaccount-*.yaml	Added must-gather-admin ServiceAccount and ClusterRoleBinding manifests, Role/RoleBinding for non-admin "use" permission, extended setup/teardown, and added tests for defaulting, MinLength validation, and authorization rejection.
Admission Policy deploy/09_must-gather.ValidatingAdmissionPolicy.yaml, deploy/10_must-gather.ValidatingAdmissionPolicyBinding.yaml	Added a ValidatingAdmissionPolicy and corresponding Binding that deny MustGather CREATE requests when the requester is not authorized to use the referenced ServiceAccount.

Sequence Diagram(s)

sequenceDiagram
    participant Client as User
    participant APIServer as API Server
    participant Admission as ValidatingAdmissionPolicy
    participant Authorizer as Authorizer
    participant Controller as MustGather Controller
    participant Kube as Kubernetes API

    Client->>APIServer: Create MustGather (spec.serviceAccountName set/omitted)
    APIServer->>Admission: Evaluate policy for CREATE mustgathers
    Admission->>Authorizer: Check "use" permission for ServiceAccount in namespace
    Authorizer-->>Admission: allow / deny
    alt allowed
        APIServer-->>Client: Admit object (defaulting applies if omitted)
        Controller->>Kube: Get ServiceAccount (uses default if omitted)
        Kube-->>Controller: ServiceAccount exists / not
        Controller->>Kube: Create Job with ServiceAccountName
    else denied
        Admission-->>APIServer: Deny (Forbidden)
        APIServer-->>Client: Reject request with authorization message
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	E2E tests lack consistent assertion messages and timeout configuration in Eventually() calls, violating quality standards for test reliability and maintainability.	Add meaningful error messages to all Expect() assertions and explicit timeout configuration to all Eventually() calls using WithTimeout() to prevent indefinite waits and improve failure diagnostics.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing the default service account, which aligns with the PR's core objective of changing the default ServiceAccount from 'default' to 'must-gather-admin' across the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names are static, descriptive strings that clearly indicate what each test validates, with dynamic values appropriately placed only within test bodies for creating unique resource names.
Microshift Test Compatibility	✅ Passed	The three new e2e tests use only standard Kubernetes APIs and the operator's custom MustGather CRD, with no OpenShift-specific APIs unavailable on MicroShift.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The three new e2e tests validate ServiceAccount defaulting, RBAC authorization, and CRD constraints—all API-level validations that function correctly on Single Node OpenShift without requiring multi-node infrastructure.
Topology-Aware Scheduling Compatibility	✅ Passed	PR changes default ServiceAccount name and adds ValidatingAdmissionPolicy; no topology-breaking scheduling constraints added.
Ote Binary Stdout Contract	✅ Passed	The PR does not introduce any OTE Binary Stdout Contract violations. All new E2E test code exclusively uses GinkgoWriter.Printf() and By() helpers within test blocks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	New e2e tests use cluster-internal APIs and ServiceAccount validation without IPv4 assumptions or external connectivity requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.89%. Comparing base (59b15a1) to head (0dbcd58).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #342   +/-   ##
=======================================
  Coverage   62.89%   62.89%           
=======================================
  Files           8        8           
  Lines         830      830           
=======================================
  Hits          522      522           
  Misses        302      302           
  Partials        6        6           

Files with missing lines	Coverage Δ
api/v1alpha1/mustgather_types.go	100.00% <ø> (ø)
controllers/mustgather/mustgather_controller.go	58.63% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

controllers/mustgather/mustgather_controller_test.go (1)

775-818: ⚠️ Potential issue | 🟡 Minor

Minor: Update stale comment referencing 'default' service account.

The test name and comments correctly reference must-gather-admin, but the assertion message at line 816 still mentions 'default':

t.Fatalf("expected job to not be created when 'default' service account is missing")

This should reference 'must-gather-admin' for consistency.

📝 Suggested fix

-				t.Fatalf("expected job to not be created when 'default' service account is missing")
+				t.Fatalf("expected job to not be created when 'must-gather-admin' service account is missing")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@controllers/mustgather/mustgather_controller_test.go` around lines 775 - 818,
Update the failing assertion message in the test case
"reconcile_empty_service_account_name_must_gather_admin_not_found_calls_manage_error"
(inside the postTestChecks closure) to reference the correct service account
name: replace the t.Fatalf message that currently says "'default' service
account is missing" with one that mentions "'must-gather-admin' service account
is missing" so the comment and assertion message are consistent with the rest of
the test.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deploy/crds/operator.openshift.io_mustgathers.yaml`:
- Line 6: Regenerate both CRD manifests so their controller-gen annotations
match: run controller-gen (prefer project standard e.g., v0.19.0) to re-generate
deploy/crds/operator.openshift.io_mustgathers.yaml and
bundle/manifests/tech-preview/operator.openshift.io_mustgathers.yaml, replacing
the mismatched controller-gen.kubebuilder.io/version entry (currently v0.16.4 vs
v0.19.0) so both files contain the same version and identical generated output;
verify the file headers now match and commit the updated manifests.

---

Outside diff comments:
In `@controllers/mustgather/mustgather_controller_test.go`:
- Around line 775-818: Update the failing assertion message in the test case
"reconcile_empty_service_account_name_must_gather_admin_not_found_calls_manage_error"
(inside the postTestChecks closure) to reference the correct service account
name: replace the t.Fatalf message that currently says "'default' service
account is missing" with one that mentions "'must-gather-admin' service account
is missing" so the comment and assertion message are consistent with the rest of
the test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cf6160b7-8b0e-4fbf-b798-a80877467137

📥 Commits

Reviewing files that changed from the base of the PR and between 5794c2f and 57ffb0d.

📒 Files selected for processing (6)

• api/v1alpha1/mustgather_types.go
• bundle/manifests/tech-preview/operator.openshift.io_mustgathers.yaml
• controllers/mustgather/mustgather_controller.go
• controllers/mustgather/mustgather_controller_test.go
• controllers/mustgather/template_test.go
• deploy/crds/operator.openshift.io_mustgathers.yaml

[neha037]

/jira refresh

[openshift-ci-robot]

@neha037: This pull request references Jira Issue OCPBUGS-78538, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@neha037: This pull request references Jira Issue OCPBUGS-78538, which is invalid:

• expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.22.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

Summary by CodeRabbit

• Chores

• Changed default ServiceAccount for MustGather operations from "default" to "must-gather-admin"

• Updated CRD schema and validation defaults

• Tests

• Added E2E tests to verify ServiceAccount defaulting behavior when not explicitly specified

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[neha037]

/jira refresh

[openshift-ci-robot]

@neha037: This pull request references Jira Issue OCPBUGS-78538, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: neha037
Once this PR has been reviewed and has the lgtm label, please assign shivprakashmuley for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[neha037]

/retest

[neha037]

/retest

[shivprakashmuley]

/retest

[neha037]

/test all

[openshift-ci]

@neha037: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/validate-boilerplate	0dbcd58	link	false	/test validate-boilerplate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[neha037]

Changes will be done here - #347

[openshift-ci-robot]

@neha037: This pull request references Jira Issue OCPBUGS-78538. The bug has been updated to no longer refer to the pull request using the external bug tracker.

Details

In response to this:

Summary by CodeRabbit

• Chores

• Default ServiceAccount changed from "default" to "must-gather-admin"

• CRD/schema updated to reflect new default and require a non-empty ServiceAccount name

• Added admission validation to deny unauthorized ServiceAccount references and supporting RBAC test manifests

• Tests

• Updated unit tests for the new default

• Added E2E tests for API-server defaulting, Job usage of must-gather-admin, authorization failures, and empty-string validation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.