Bug 1936707

Summary: New CSV using ServiceAccount named "default" stuck in Pending during upgrade
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: OLMAssignee: Ben Luddy <bluddy>
OLM sub component: OLM QA Contact: Bruno Andrade <bandrade>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: bluddy, jlanford
Version: 4.5Keywords: Triaged
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1940649 (view as bug list) Environment:
Last Closed: 2021-03-30 04:46:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1935909    
Bug Blocks: 1940649    

Description OpenShift BugZilla Robot 2021-03-09 00:04:19 UTC 
+++ This bug was initially created as a clone of Bug #1935909 +++

Description of problem:

If an operator's ClusterServiceVersion specifies serviceAccountName "default", and the ServiceAccount "default" has an owner reference to a resource that is not a ClusterServiceVersion, then the CSV's status will indicate that its ServiceAccount requirement is PresentNotSatisfied:

- Kind:     ServiceAccount
  Message:  Service account is not owned by this ClusterServiceVersion
  Name:     default
  Status:   PresentNotSatisfied

Version-Release number of selected component (if applicable): 4.5

Regressed as part of a fix for another issue that has since been backported to 4.5.z (https://bugzilla.redhat.com/show_bug.cgi?id=1904584).

How reproducible: Always

Steps to Reproduce:
1. Ensure that a ServiceAccount exists named "default" and with an owner reference to any namespaced resource that is NOT a ClusterServiceVersion.
2. Create a CSV whose deployment strategy permissions use serviceAccountName "default". Small sample CSV here:

apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
  name: sad-csv
  namespace: operators
spec:
  apiservicedefinitions: {}
  customresourcedefinitions: {}
  displayName: Sad Operator
  install:
    spec:
      permissions:
      - serviceAccountName: default
        rules: []
      deployments:
      - name: sad-deployment
        spec:
          selector:
            matchLabels:
              app: sad
          template:
            metadata:
              labels:
                app: sad
            spec:
              containers:
              - image: bitnami/nginx
                name: sad
    strategy: deployment
  installModes:
  - supported: true
    type: OwnNamespace
  - supported: true
    type: SingleNamespace
  - supported: true
    type: MultiNamespace
  - supported: true
    type: AllNamespaces

3. Look at the status of the created CSV.

Actual results:

status:
  requirementStatus:
  - group: ""
    kind: ServiceAccount
    message: Service account is not owned by this ClusterServiceVersion
    name: default
    status: PresentNotSatisfied
    version: v1

Expected results:

status:
  requirementStatus:
  - group: ""
    kind: ServiceAccount
    message: ""
    name: default
    status: Present
    version: v1
Comment 2 Bruno Andrade 2021-03-19 15:24:57 UTC 
Looks good, steps used to reproduce it:

OCP Version: 4.7.0-0.nightly-2021-03-19-061202
OLM version: 0.17.0
git commit: e0b766f81141b5409940ecb10d9b5ae572e52a4c


1) Create the namespace and the default service account is present

oc get sa default -n test-operators -o yaml     
apiVersion: v1
imagePullSecrets:
- name: default-dockercfg-lmvgz
kind: ServiceAccount
metadata:
  creationTimestamp: "2021-03-19T15:13:54Z"
  name: default
  namespace: test-operators
  resourceVersion: "51727"
  selfLink: /api/v1/namespaces/test-operators/serviceaccounts/default
  uid: 4e06ab87-0dce-4cfd-b035-7555b4bac4b1
secrets:
- name: default-token-95ttq
- name: default-dockercfg-lmvgz

2) Create the operator group
3) Create the CSV as oriented
4) Check if CSV installation succeeds.
  phase: Succeeded
  reason: InstallSucceeded
  requirementStatus:
  - group: ""
    kind: ServiceAccount
    message: ""
    name: default
    status: Present
    version: v1
Comment 5 errata-xmlrpc 2021-03-30 04:46:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.4 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0957