Skip to content

OCPBUGS-65626: add service account to guard pod #2076

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ehearne-redhat wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OCPBUGS-65626: add service account to guard pod #2076

ehearne-redhat wants to merge 1 commit into from

Conversation

@ehearne-redhat
Copy link

@ehearne-redhat ehearne-redhat commented Jan 8, 2026
edited
Loading

This change adds a bespoke service account to the guard pod. It also handles service account cleanup, and includes additional fields in tests and basic service account testing.

The reason for the change is that we should opt to use a bespoke service account rather than default.

@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jan 8, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 8, 2026

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65626, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 8, 2026
@ehearne-redhat ehearne-redhat changed the title [WIP] OCPBUGS-65626: add service account to guard pod OCPBUGS-65626: add service account to guard pod Jan 8, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 8, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 8, 2026

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65626, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This change adds a bespoke service account to the guard pod. It also handles service account cleanup, and includes additional fields in tests and basic service account testing.

The reason for the change is that we should opt to use a bespoke service account rather than default.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ehearne-redhat
Copy link
Author

ehearne-redhat commented Jan 9, 2026

@wangke19 @p0lyn0mial this PR is ready to review. Could you please take a look? :)

@p0lyn0mial
Copy link
Contributor

p0lyn0mial commented Jan 28, 2026

/assign @ingvagabund

@ingvagabund please take a look at this PR. I think you are the best person to take a look since you created the controller. Thanks!

ingvagabund
ingvagabund reviewed Jan 29, 2026
View reviewed changes
@ehearne-redhat
Copy link
Author

ehearne-redhat commented Jan 29, 2026

Hey @ingvagabund - thanks so much for your review! I have amended the changes and added unit tests. Tests are passing locally.

Please take a look when you have the chance :)

ingvagabund
ingvagabund reviewed Feb 2, 2026
View reviewed changes
@ingvagabund
Copy link
Member

ingvagabund commented Feb 2, 2026
edited
Loading

The PR looks good in overall. Thank you. Just few more nits.

@ingvagabund
Copy link
Member

ingvagabund commented Feb 2, 2026

Can you also please open evidence PRs for the corresponding operators as wel? KCM-o, KA-o, KS-o. To see the CI goes green to avoid any hidden corners.

This was referenced Feb 3, 2026
Open
Open
Open
@ehearne-redhat
Copy link
Author

ehearne-redhat commented Feb 3, 2026

@ingvagabund thanks so much for your review - I have completed the evidence PRs. I'll re-ping for review when the tests come back. :)

@ehearne-redhat
Copy link
Author

ehearne-redhat commented Feb 4, 2026

Hey @ingvagabund the evidence PR's openshift/cluster-kube-controller-manager-operator#905 , openshift/cluster-kube-apiserver-operator#2026 , and openshift/cluster-kube-scheduler-operator#610 are now ready to review for evidence. I have attached proof of guard pods using their own service accounts in each.

Please take a look when you have the chance. :)

@ingvagabund
Copy link
Member

ingvagabund commented Feb 5, 2026

Brilliant :) Thank you.
/lgtm

@ingvagabund
Copy link
Member

ingvagabund commented Feb 5, 2026

@p0lyn0mial for the final approval

@ingvagabund
Copy link
Member

ingvagabund commented Feb 5, 2026

/lgtm cancel

@ehearne-redhat can you please squash the commits before merging?

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 6, 2026
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 6, 2026
@ehearne-redhat
add service account to guard pod
9a4deb2 
This change add a bespoke service account to a guard pod, and
introduces checks to remove zombie service accounts in the case of
manual guard pod deletion.

Tests are included to test behaviour of service account in different
scenarios.
@ehearne-redhat
Copy link
Author

ehearne-redhat commented Feb 6, 2026

Hi @ingvagabund - I have squashed the commits, and resolved merge conflicts along the way. Let me know if the squash description works for you. :)

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 6, 2026

@ehearne-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-encryption 1763302 link true /test e2e-aws-encryption

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@ingvagabund
Copy link
Member

ingvagabund commented Feb 6, 2026

All good. Thank you.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 6, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 6, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat, ingvagabund
Once this PR has been reviewed and has the lgtm label, please assign dgrisonnet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wangke19 wangke19 Awaiting requested review from wangke19

@dgrisonnet dgrisonnet Awaiting requested review from dgrisonnet

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

1 more reviewer

@ingvagabund ingvagabund ingvagabund left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@ingvagabund ingvagabund

Labels

jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ehearne-redhat @openshift-ci-robot @p0lyn0mial @ingvagabund @openshift-merge-robot