OCPBUGS-65629: ensure canary daemon set uses its own service account.

[ehearne-redhat]

What

• Ensure the canary daemon set uses its own service account, rather than the default service account.

Why

• Using the default service account is a security issue. Using a bespoke service account ensures minimal permissions are given to the daemonset.

How

• A service account has been created for the canary daemonset.
• A cluster role binding has been created which references an already existing openshift-ingress-operator cluster role.
• This cluster role binding is also attached to the service account for the canary daemon set.
• The reconciler now detects resource creation of the cluster role binding and service account.
• Tests have been made for the new changes.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign knobunc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ehearne-redhat]

These tests are failing because of an improper serviceAccount mount for the ingress-canary daemonset. Working on serviceAccount and related items creation and attachment to ingress-canary daemonset.

[ehearne-redhat]

I will remove the unnecessary code once tests come back.

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65629, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

WIP - do not merge .

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/jira refresh

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65629, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/test okd-scos-images

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65629, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

WIP - do not merge .

What

• Ensure the canary daemon set uses its own service account, rather than the default service account.

Why

• Using the default service account is a security issue. Using a bespoke service account ensures minimal permissions are given to the daemonset.

How

• A service account has been created for the canary daemonset.
• A cluster role binding has been created which references an already existing openshift-ingress-operator cluster role.
• This cluster role binding is also attached to the service account for the canary daemon set.
• The reconciler now detects resource creation of the cluster role binding and service account.
• Tests have been made for the new changes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/test hypershift-e2e-aks

[ehearne-redhat]

test e2e-aws-pre-release-ossm shows the service account is mounted and the pod is running.

ehearne-mac:must-gather (6) ehearne$ omc -n openshift-ingress-canary get pod ingress-canary-82txj -o yaml
apiVersion: v1
kind: Pod
...
  generateName: ingress-canary-
...
  name: ingress-canary-82txj
  namespace: openshift-ingress-canary
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: DaemonSet
    name: ingress-canary
...
spec:
...
  serviceAccount: ingress-canary
  serviceAccountName: ingress-canary
...
  phase: Running
  podIP: 10.129.2.9
  podIPs:
  - ip: 10.129.2.9
  qosClass: Burstable
  startTime: "2025-11-27T18:44:24Z"

[lihongan]

/retest-required

[lihongan]

/retest-required

[ehearne-redhat]

/retest

[lihongan]

pre-merge tested and no issues found

// without the fix PR
$ oc -n openshift-ingress-canary get serviceaccounts 
NAME       SECRETS   AGE
builder    1         8h
default    1         8h
deployer   1         8h

$ oc -n openshift-ingress-canary get pod ingress-canary-gw8rz -oyaml | grep -i serviceaccount
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
  serviceAccount: default
  serviceAccountName: default

$ oc -n openshift-ingress-canary get clusterrolebindings openshift-ingress-canary
Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "openshift-ingress-canary" not found

// with the fix PR
$ oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0-2025-11-28-081649-test-ci-ln-2dzjdit-latest   True        False         76m     Cluster version is 4.21.0-0-2025-11-28-081649-test-ci-ln-2dzjdit-latest

$ oc -n openshift-ingress-canary get serviceaccount
NAME             SECRETS   AGE
builder          1         88m
default          1         91m
deployer         1         88m
ingress-canary   1         91m                 <<<<-----------

$ oc -n openshift-ingress-canary get clusterrolebindings openshift-ingress-canary
NAME                       ROLE                                     AGE
openshift-ingress-canary   ClusterRole/openshift-ingress-operator   66m

$ oc -n openshift-ingress-canary get ds ingress-canary -oyaml | grep -i serviceaccount
      serviceAccount: ingress-canary
      serviceAccountName: ingress-canary

$ oc -n openshift-ingress-canary get pod ingress-canary-f8l2h -oyaml | grep -i serviceaccount
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
  serviceAccount: ingress-canary
  serviceAccountName: ingress-canary

[ehearne-redhat]

/retest

[ehearne-redhat]

/test hypershift-e2e-aks

[ehearne-redhat]

/test e2e-aws-pre-release-ossm

[ehearne-redhat]

/test e2e-aws-ovn

[ehearne-redhat]

/test hypershift-e2e-aks

[ehearne-redhat]

/test e2e-aws-pre-release-ossm

[ehearne-redhat]

/test e2e-aws-pre-release-ossm
/test hypershift-e2e-aks

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[openshift-ci]

@ehearne-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-pre-release-ossm	e999f8a	link	false	/test e2e-aws-pre-release-ossm

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.