OLS-3520: Grant operator RBAC to create alerts adapter proposals ClusterRole#1803
Conversation
|
@blublinsky: This pull request references OLS-3520 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Warning Review limit reached
Next review available in: 43 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (13)
📝 WalkthroughWalkthroughThis PR grants the operator's controller and its ClusterServiceVersion clusterPermissions additional RBAC access (get, list, create) on proposals.agentic.openshift.io resources. It also updates the bundle CSV's createdAt timestamp and minor formatting in a TLS secret description field. ChangesProposals RBAC Permissions
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
vimalk78
left a comment
There was a problem hiding this comment.
AI Review — OLS-3520 + OLS-3475 (operator portion)
Score: 97/100 — PASS
Adherence
| # | Criterion | Status |
|---|---|---|
| 1 | Operator SA has RBAC matching the ClusterRole it creates for alerts adapter | PASS |
| 2 | Operator-side Proposal→AgenticRun rename (constants, functions, errors, logs) | PASS |
| 3 | Legacy proposals ClusterRole/ClusterRoleBinding cleaned up on reconcile | PASS |
| 4 | Tests updated for rename | PASS |
| 5 | Documentation updated for rename | PASS |
Code Quality
One nice-to-have observation:
removeLegacyProposalsClusterRBACruns during reconciliation but not duringRemoveAlertsAdapter(finalization/disable path). If the operator upgrades and the CR is deleted before any reconciliation occurs, legacy ClusterRole/ClusterRoleBinding would be orphaned. Practically harmless — orphaned RBAC with no bound SA has no effect, and the scenario requires a narrow race.
Notes
- RBAC marker verbs (
get;list;create) correctly match the operand ClusterRole — least privilege, no unnecessarydelete - Legacy constant
AlertsAdapterLegacyProposalsClusterRoleNamereused for both CR and CRB lookups is correct — K8s distinguishes by GVK, and both old resources shared the same name - Clean, well-scoped PR
🤖 Generated with Claude Code
|
/lgtm |
|
/approve |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: blublinsky The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/override ci/prow/bundle-e2e-4-21 images mismatch |
|
@blublinsky: Overrode contexts on behalf of blublinsky: ci/prow/bundle-e2e-4-21 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@blublinsky: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Description
Summary
This PR fixes alerts adapter Phase 1 reconciliation failing to create the alerts adapter ClusterRole due to RBAC escalation, and renames alerts-adapter operand RBAC from
Proposal/proposalstoAgenticRun/agenticrunsto align with upstream API changes.RBAC escalation fix (OLS-3520)
When
spec.ols.deployment.alertsAdapter.configMapRefis set, the operator creates a ClusterRole granting the alerts adapter SAget,list, andcreateonagentic.openshift.io/agenticruns. The operator SA must hold those same permissions before it can create that ClusterRole.OLSConfigReconcilerforagentic.openshift.io/agenticruns(get,list,create)config/rbac/role.yamland bundle CSVclusterPermissionsRoot cause: OLS-3348 added operand RBAC in
alertsadapter.GenerateAgenticRunsClusterRolebut did not add the matching operator permission marker. Reconcile fails with a forbiddenclusterrolescreate; Phase 2 deployment is skipped because Phase 1 returns an error.Proposal → AgenticRun rename (OLS-3475)
Aligns with lightspeed-agentic-operator #285 and lightspeed-agentic-alerts-adapter #54:
agentic.openshift.io/proposalsagentic.openshift.io/agenticrunslightspeed-agentic-alerts-adapter-proposalslightspeed-agentic-alerts-adapter-agenticrunsGenerateProposalsClusterRoleGenerateAgenticRunsClusterRoleremoveLegacyProposalsClusterRBACdeletes the old…-proposalscluster RBAC on upgraderole.yaml, bundle CSV, tests, and docs/specsIntentionally unchanged (console/product UI terms; separate console PR):
/lightspeed/proposalsroute and "proposals" UI copy in AGENTS.md.Type of change
Related Tickets & Documents
Closes https://redhat.atlassian.net/browse/OLS-3520
Checklist before requesting a review
Testing
make testmake lintspec.ols.deployment.alertsAdapter.configMapRefset; verify Phase 1 createslightspeed-agentic-alerts-adapter-agenticrunsClusterRole/ClusterRoleBinding withagenticrunspermissions…-proposalscluster RBAC; verify legacy resources are removed