1936707 – New CSV using ServiceAccount named "default" stuck in Pending during upgrade

Bug 1936707 - New CSV using ServiceAccount named "default" stuck in Pending during upgrade

Summary: New CSV using ServiceAccount named "default" stuck in Pending during upgrade

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	OLM
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.7.z
Assignee:	Ben Luddy
QA Contact:	Bruno Andrade
Docs Contact:
URL:
Whiteboard:
Depends On:	1935909
Blocks:	1940649
TreeView+	depends on / blocked

Reported:	2021-03-09 00:04 UTC by OpenShift BugZilla Robot
Modified:	2021-03-30 04:46 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1940649 (view as bug list)
Environment:
Last Closed:	2021-03-30 04:46:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	operator-framework operator-lifecycle-manager pull 2034	0	None	open	[release-4.7] Bug 1936707: Allow non-CSV-owned ServiceAccounts to satisfy CSV requirements.	2021-03-09 19:48:40 UTC
Red Hat Product Errata	RHSA-2021:0957	0	None	None	None	2021-03-30 04:46:44 UTC

Description OpenShift BugZilla Robot 2021-03-09 00:04:19 UTC

+++ This bug was initially created as a clone of Bug #1935909 +++

Description of problem:

If an operator's ClusterServiceVersion specifies serviceAccountName "default", and the ServiceAccount "default" has an owner reference to a resource that is not a ClusterServiceVersion, then the CSV's status will indicate that its ServiceAccount requirement is PresentNotSatisfied:

- Kind:     ServiceAccount
  Message:  Service account is not owned by this ClusterServiceVersion
  Name:     default
  Status:   PresentNotSatisfied

Version-Release number of selected component (if applicable): 4.5

Regressed as part of a fix for another issue that has since been backported to 4.5.z (https://bugzilla.redhat.com/show_bug.cgi?id=1904584).

How reproducible: Always

Steps to Reproduce:
1. Ensure that a ServiceAccount exists named "default" and with an owner reference to any namespaced resource that is NOT a ClusterServiceVersion.
2. Create a CSV whose deployment strategy permissions use serviceAccountName "default". Small sample CSV here:

apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
  name: sad-csv
  namespace: operators
spec:
  apiservicedefinitions: {}
  customresourcedefinitions: {}
  displayName: Sad Operator
  install:
    spec:
      permissions:
      - serviceAccountName: default
        rules: []
      deployments:
      - name: sad-deployment
        spec:
          selector:
            matchLabels:
              app: sad
          template:
            metadata:
              labels:
                app: sad
            spec:
              containers:
              - image: bitnami/nginx
                name: sad
    strategy: deployment
  installModes:
  - supported: true
    type: OwnNamespace
  - supported: true
    type: SingleNamespace
  - supported: true
    type: MultiNamespace
  - supported: true
    type: AllNamespaces

3. Look at the status of the created CSV.

Actual results:

status:
  requirementStatus:
  - group: ""
    kind: ServiceAccount
    message: Service account is not owned by this ClusterServiceVersion
    name: default
    status: PresentNotSatisfied
    version: v1

Expected results:

status:
  requirementStatus:
  - group: ""
    kind: ServiceAccount
    message: ""
    name: default
    status: Present
    version: v1

Comment 2 Bruno Andrade 2021-03-19 15:24:57 UTC

Looks good, steps used to reproduce it:

OCP Version: 4.7.0-0.nightly-2021-03-19-061202
OLM version: 0.17.0
git commit: e0b766f81141b5409940ecb10d9b5ae572e52a4c


1) Create the namespace and the default service account is present

oc get sa default -n test-operators -o yaml     
apiVersion: v1
imagePullSecrets:
- name: default-dockercfg-lmvgz
kind: ServiceAccount
metadata:
  creationTimestamp: "2021-03-19T15:13:54Z"
  name: default
  namespace: test-operators
  resourceVersion: "51727"
  selfLink: /api/v1/namespaces/test-operators/serviceaccounts/default
  uid: 4e06ab87-0dce-4cfd-b035-7555b4bac4b1
secrets:
- name: default-token-95ttq
- name: default-dockercfg-lmvgz

2) Create the operator group
3) Create the CSV as oriented
4) Check if CSV installation succeeds.
  phase: Succeeded
  reason: InstallSucceeded
  requirementStatus:
  - group: ""
    kind: ServiceAccount
    message: ""
    name: default
    status: Present
    version: v1

Comment 5 errata-xmlrpc 2021-03-30 04:46:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.4 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0957

Note You need to log in before you can comment on or make changes to this bug.