Remove system:serviceaccounts:openshift-kube-controller-manager

Nont · Nont · commit a828d882da31 · 2025-10-21T22:04:38.000-05:00
Signed-off-by: Nont &lt;nont@duck.com&gt;
diff --git a/pkg/webhook/managedresource/createordelete_test.go b/pkg/webhook/managedresource/createordelete_test.go
@@ -373,11 +373,9 @@ func TestGetVAPBindingWithMutator(t *testing.T) {
 	// Verify initial state
 	if vapb == nil {
 		t.Fatal("getVAPBindingWithMutator() returned nil VAP binding")
-		return
 	}
 	if mutateFunc == nil {
 		t.Fatal("getVAPBindingWithMutator() returned nil mutate function")
-		return
 	}
 
 	// Verify mutate function works
diff --git a/pkg/webhook/managedresource/validatingadmissionpolicy.go b/pkg/webhook/managedresource/validatingadmissionpolicy.go
@@ -63,8 +63,7 @@ func mutateValidatingAdmissionPolicy(vap *admv1.ValidatingAdmissionPolicy) {
 					(
 						"system:masters" in request.userInfo.groups ||
 						"system:serviceaccounts:kube-system" in request.userInfo.groups ||
-						"system:serviceaccounts:fleet-system" in request.userInfo.groups ||
-						"system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups
+						"system:serviceaccounts:fleet-system" in request.userInfo.groups
 					)
 				)
 				  ||
diff --git a/test/e2e/managed_resource_vap_test.go b/test/e2e/managed_resource_vap_test.go
@@ -35,7 +35,6 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/version"
 	"k8s.io/client-go/discovery"
-
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	placementv1beta1 "go.goms.io/fleet/apis/placement/v1beta1"
@@ -53,16 +52,6 @@ var managedByLabelMap = map[string]string{
 	managedByLabel: managedByLabelValue,
 }
 
-// Need this because Entry() evaluates parameters at definition time, not at runtime.
-// Without this, the client value sent to Entry() would always be nil.
-func getUserClient() client.Client {
-	return hubCluster.ImpersonateKubeClient
-}
-
-func getAksServiceClient() client.Client {
-	return hubCluster.SystemMastersClient
-}
-
 var _ = Describe("ValidatingAdmissionPolicy for Managed Resources", Label("managedresource"), Ordered, func() {
 	BeforeEach(func() {
 		discoveryClient := framework.GetDiscoveryClient(hubCluster)
@@ -520,3 +509,13 @@ func isAPIServerVersionAtLeast(disco discovery.DiscoveryInterface, targetVersion
 	server, target := version.MustParseSemantic(serverVersion.GitVersion), version.MustParseSemantic(targetVersion)
 	return server.AtLeast(target), nil
 }
+
+// Need this because Entry() evaluates parameters at definition time, not at runtime.
+// Without this, the client value sent to Entry() would always be nil.
+func getUserClient() client.Client {
+	return hubCluster.ImpersonateKubeClient
+}
+
+func getAksServiceClient() client.Client {
+	return hubCluster.SystemMastersClient
+}

Original file line number	Diff line number	Diff line change
`@@ -373,11 +373,9 @@ func TestGetVAPBindingWithMutator(t *testing.T) {`
`373`	`373`	`// Verify initial state`
`374`	`374`	`if vapb == nil {`
`375`	`375`	`t.Fatal("getVAPBindingWithMutator() returned nil VAP binding")`
`376`		`- return`
`377`	`376`	`}`
`378`	`377`	`if mutateFunc == nil {`
`379`	`378`	`t.Fatal("getVAPBindingWithMutator() returned nil mutate function")`
`380`		`- return`
`381`	`379`	`}`
`382`	`380`
`383`	`381`	`// Verify mutate function works`
Original file line number	Diff line number	Diff line change
`@@ -63,8 +63,7 @@ func mutateValidatingAdmissionPolicy(vap *admv1.ValidatingAdmissionPolicy) {`
`63`	`63`	`(`
`64`	`64`	`"system:masters" in request.userInfo.groups \|\|`
`65`	`65`	`"system:serviceaccounts:kube-system" in request.userInfo.groups \|\|`
`66`		`- "system:serviceaccounts:fleet-system" in request.userInfo.groups \|\|`
`67`		`- "system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups`
	`66`	`+ "system:serviceaccounts:fleet-system" in request.userInfo.groups`
`68`	`67`	`)`
`69`	`68`	`)`
`70`	`69`	`\|\|`