Skip to content

OCPBUGS-65633: add network-check-target + networking-console-plugin service accounts #2868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ehearne-redhat wants to merge 3 commits into
base: master
Choose a base branch
from
Open

OCPBUGS-65633: add network-check-target + networking-console-plugin service accounts #2868

ehearne-redhat wants to merge 3 commits into from

Conversation

@ehearne-redhat
Copy link

@ehearne-redhat ehearne-redhat commented Jan 7, 2026
edited
Loading

This PR adds a service account to openshift-network-diagnostics/network-check-target- and openshift-network-console/networking-console-plugin- pods. It also includes a change to render_test as the number 14 for number of YAMLs to check for is now 15 due to added RBAC manifest. The ordering of the manifests have been changed to allow for the correct application of manifests.

The reason for this change is that these pods should use their own bespoke service account, not default.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 7, 2026
@coderabbitai
Copy link

coderabbitai bot commented Jan 7, 2026
edited
Loading

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Adds two new ServiceAccount manifests (network-check-target in openshift-network-diagnostics; networking-console-plugin in openshift-network-console). Updates the network-check-target DaemonSet and the networking-console-plugin Deployment pod specs to use their respective ServiceAccounts.

Changes

Cohort / File(s) Summary
network-diagnostics ServiceAccount & DaemonSet
bindata/network-diagnostics/001-rbac.yaml, bindata/network-diagnostics/network-check-target.yaml		 Appends a ServiceAccount network-check-target in namespace openshift-network-diagnostics; updates DaemonSet pod spec to use serviceAccount: network-check-target (replacing default).
networking-console-plugin ServiceAccount & Deployment
bindata/networking-console-plugin/001-rbac.yaml, bindata/networking-console-plugin/003-deployment.yaml		 Adds ServiceAccount networking-console-plugin in namespace openshift-network-console; sets Deployment pod spec serviceAccount: networking-console-plugin.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jan 7, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 7, 2026

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65633, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 7, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ehearne-redhat
Once this PR has been reviewed and has the lgtm label, please assign jacobtanenbaum for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ehearne-redhat
Copy link
Author

ehearne-redhat commented Jan 7, 2026

@coderabbitai review

@coderabbitai
Copy link

coderabbitai bot commented Jan 7, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai[bot]
coderabbitai bot reviewed Jan 7, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents 
In @bindata/network-diagnostics/001-rbac.yaml:
- Around line 132-138: Change the ServiceAccount manifest to use the correct
core API group by replacing apiVersion: rbac.authorization.k8s.io with
apiVersion: v1 for the ServiceAccount named network-check-target in namespace
openshift-network-diagnostics, and remove the trailing whitespace on the blank
line after namespace (line containing only whitespace) to ensure the YAML is
accepted by Kubernetes.

In @bindata/networking-console-plugin/001-rbac.yaml:
- Around line 1-5: The manifest declares a ServiceAccount with the wrong
apiVersion; change the apiVersion for the ServiceAccount resource from
"rbac.authorization.k8s.io" to "v1" so Kubernetes accepts it; update the
apiVersion field at the top of the ServiceAccount definition (metadata.name:
networking-console-plugin, metadata.namespace: openshift-network-console) to
"v1" and keep the rest of the ServiceAccount spec unchanged.
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 9d8ab48 and b161b78.

📒 Files selected for processing (6)
  • bindata/network-diagnostics/001-rbac.yaml
  • bindata/network-diagnostics/network-check-target.yaml
  • bindata/networking-console-plugin/001-rbac.yaml
  • bindata/networking-console-plugin/002-config-map.yaml
  • bindata/networking-console-plugin/003-deployment.yaml
  • bindata/networking-console-plugin/005-service.yaml
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • bindata/networking-console-plugin/001-rbac.yaml
  • bindata/network-diagnostics/001-rbac.yaml
  • bindata/network-diagnostics/network-check-target.yaml
  • bindata/networking-console-plugin/003-deployment.yaml
🔇 Additional comments (2)
bindata/networking-console-plugin/003-deployment.yaml (1)

58-58: LGTM!

The serviceAccount assignment correctly references the networking-console-plugin ServiceAccount defined in 001-rbac.yaml. The namespace alignment is correct, and the configuration with automountServiceAccountToken: false indicates this is used for pod security context rather than API access.

bindata/network-diagnostics/network-check-target.yaml (1)

66-66: LGTM!

The serviceAccount assignment correctly references the network-check-target ServiceAccount defined in bindata/network-diagnostics/001-rbac.yaml. The namespace alignment is correct.

@ehearne-redhat
Copy link
Author

ehearne-redhat commented Jan 7, 2026

@coderabbitai review

@coderabbitai
Copy link

coderabbitai bot commented Jan 7, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@ehearne-redhat
Copy link
Author

ehearne-redhat commented Jan 8, 2026

/retest

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jan 9, 2026

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65633, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @anuragthehatter

Details

In response to this:

This PR adds a service account to openshift-network-diagnostics/network-check-target- and openshift-network-console/networking-console-plugin- pods. It also includes a change to render_test as the number 14 for number of YAMLs to check for is now 15 due to added RBAC manifest. The ordering of the manifests have been changed to allow for the correct application of manifests.

The reason for this change is that these pods should use their own bespoke service account, not default.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ehearne-redhat
Copy link
Author

ehearne-redhat commented Jan 9, 2026

/test hypershift-e2e-aks
/test e2e-aws-ovn-hypershift-conformance

@ehearne-redhat ehearne-redhat changed the title [WIP] OCPBUGS-65633: add network-check-target + networking-console-plugin service accounts OCPBUGS-65633: add network-check-target + networking-console-plugin service accounts Jan 9, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 9, 2026
@ehearne-redhat
Copy link
Author

ehearne-redhat commented Jan 9, 2026

/test e2e-aws-ovn-hypershift-conformance

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 9, 2026

@ehearne-redhat: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/security b2ea5a2 link false /test security
ci/prow/e2e-aws-ovn-hypershift-conformance b2ea5a2 link true /test e2e-aws-ovn-hypershift-conformance
ci/prow/hypershift-e2e-aks b2ea5a2 link true /test hypershift-e2e-aks

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@anuragthehatter anuragthehatter Awaiting requested review from anuragthehatter

@arkadeepsen arkadeepsen Awaiting requested review from arkadeepsen

@kyrtapz kyrtapz Awaiting requested review from kyrtapz

Assignees

No one assigned

Labels

jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ehearne-redhat @openshift-ci-robot