OCPBUGS-65488: Add cluster-scoped RBAC and CRDs to network ClusterOperator relatedObjects

[smulje]

Summary

Adds missing cluster-scoped resources to the network ClusterOperator's relatedObjects field to enable oc adm inspect clusteroperator/network to collect all relevant resources for debugging.

Associated Bug:

https://redhat.atlassian.net/browse/OCPBUGS-65488

Problem

While checking oc adm inspect clusteroperator output in CI, several cluster-scoped resources deployed via static manifests were missing from the network ClusterOperator's relatedObjects:

• ClusterRoleBinding: cluster-network-operator
• ClusterRoleBinding: default-account-cluster-network-operator
• CRDs: egressrouters.network.operator.openshift.io, operatorpkis.network.operator.openshift.io, networks.operator.openshift.io

This caused oc adm inspect to fail collecting these resources, making debugging more difficult.

Solution

Updated manifests/0000_70_cluster-network-operator_05_clusteroperator.yaml to include these cluster-scoped resources in the status.relatedObjects field.

Testing

Manual Verification

1. Deploy cluster with updated manifest
2. Run oc adm inspect clusteroperator/network
3. Verify the following files are collected:

Before Fix:

clusterroles % ls
metrics-daemon-role.yaml				net-attach-def-project.yaml				openshift-ovn-kubernetes-cluster-reader.yaml		openshift-ovn-kubernetes-udn-editor.yaml
multus-admission-controller-webhook.yaml		network-diagnostics.yaml				openshift-ovn-kubernetes-control-plane-limited.yaml	openshift-ovn-kubernetes-udn-viewer.yaml
multus-ancillary-tools.yaml				network-node-identity.yaml				openshift-ovn-kubernetes-kube-rbac-proxy.yaml		whereabouts-cni.yaml
multus.yaml						openshift-iptables-alerter.yaml				openshift-ovn-kubernetes-node-limited.yaml
 clusterrolebindings % ls
metrics-daemon-sa-rolebinding.yaml			multus-group.yaml					network-node-identity.yaml				openshift-ovn-kubernetes-node-kube-rbac-proxy.yaml
multus-admission-controller-webhook.yaml		multus-transient.yaml					openshift-iptables-alerter.yaml
multus-ancillary-tools.yaml				multus-whereabouts.yaml					openshift-ovn-kubernetes-control-plane-limited.yaml
multus-cluster-readers.yaml				network-diagnostics.yaml				openshift-ovn-kubernetes-node-identity-limited.yaml

After Fix:

inspect.local.1906073230607695611/cluster-scoped-resources/rbac.authorization.k8s.io/clusterroles
clusterroles % ls
metrics-daemon-role.yaml				net-attach-def-project.yaml				openshift-ovn-kubernetes-cluster-reader.yaml		openshift-ovn-kubernetes-udn-editor.yaml
multus-admission-controller-webhook.yaml		network-diagnostics.yaml				openshift-ovn-kubernetes-control-plane-limited.yaml	openshift-ovn-kubernetes-udn-viewer.yaml
multus-ancillary-tools.yaml				network-node-identity.yaml				openshift-ovn-kubernetes-kube-rbac-proxy.yaml		whereabouts-cni.yaml
multus.yaml						openshift-iptables-alerter.yaml				openshift-ovn-kubernetes-node-limited.yaml

clusterrolebindings % ls 
cluster-network-operator.yaml				multus-cluster-readers.yaml				network-diagnostics.yaml				openshift-ovn-kubernetes-node-identity-limited.yaml
metrics-daemon-sa-rolebinding.yaml			multus-group.yaml					network-node-identity.yaml				openshift-ovn-kubernetes-node-kube-rbac-proxy.yaml
multus-admission-controller-webhook.yaml		multus-transient.yaml					openshift-iptables-alerter.yaml
multus-ancillary-tools.yaml				multus-whereabouts.yaml					openshift-ovn-kubernetes-control-plane-limited.yaml

Summary by CodeRabbit

• Chores
  • Enhanced cluster resource tracking by including additional cluster-scoped RBAC bindings in the system’s recorded related-object status.

[openshift-ci-robot]

@smulje: This pull request references Jira Issue OCPBUGS-65488, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Adds missing cluster-scoped resources to the network ClusterOperator's relatedObjects field to enable oc adm inspect clusteroperator/network to collect all relevant resources for debugging.

Problem

While checking oc adm inspect clusteroperator output in CI, several cluster-scoped resources deployed via static manifests were missing from the network ClusterOperator's relatedObjects:

• ClusterRoleBinding: cluster-network-operator
• ClusterRoleBinding: default-account-cluster-network-operator
• CRDs: egressrouters.network.operator.openshift.io, operatorpkis.network.operator.openshift.io, networks.operator.openshift.io

This caused oc adm inspect to fail collecting these resources, making debugging more difficult.

Solution

Updated manifests/0000_70_cluster-network-operator_05_clusteroperator.yaml to include these cluster-scoped resources in the status.relatedObjects field.

Changes

• Added 2 ClusterRoleBindings to relatedObjects
• Added 3 CustomResourceDefinitions to relatedObjects
• No Go code changes required (follows pattern from other operators)

Testing

Manual Verification

1. Deploy cluster with updated manifest
2. Run oc adm inspect clusteroperator/network
3. Verify the following files are collected:

cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/cluster-network-operator.yaml
cluster-scoped-resources/rbac.authorization.k8s.io/clusterrolebindings/default-account-cluster-network-operator.yaml
cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/egressrouters.network.operator.openshift.io.yaml
cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/operatorpkis.network.operator.openshift.io.yaml
cluster-scoped-resources/apiextensions.k8s.io/customresourcedefinitions/networks.operator.openshift.io.yaml

Expected vs Actual

Before: Only cloud-network-config-controller and metrics-daemon-sa-rolebinding ClusterRoleBindings collected
After: All CNO-owned ClusterRoleBindings and CRDs are collected

References

• JIRA: https://issues.redhat.com/browse/OCPBUGS-65488
• ClusterOperator docs: https://github.com/openshift/enhancements/blob/master/dev-guide/cluster-version-operator/dev/clusteroperator.md#related-objects
• Similar PRs following the same pattern:
• OCPBUGS-65489: Add more entries to relatedObjects cluster-node-tuning-operator#1431
• OCPBUGS-65503: manifests: Expand related objects in clusteroperator cluster-kube-scheduler-operator#588
• OCPBUGS-65502: manifests: Expand related objects in clusteroperator cluster-kube-controller-manager-operator#894

Risk Assessment

Low Risk:

• Only adds to existing relatedObjects, doesn't remove anything
• Resources already exist in cluster, we're just making them discoverable
• Follows proven pattern from other operators
• No functional code changes
• Manifest-only change

🤖 Generated with Claude Code via /jira:solve OCPBUGS-65488

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

In the Reconcile method of operconfig_controller.go, two cluster-scoped ClusterRoleBinding resource references (cluster-network-operator and default-account-cluster-network-operator) are appended to the relatedObjects slice before SetRelatedObjects is called.

Changes

Related Objects Extension

Layer / File(s)	Summary
Append ClusterRoleBinding references to relatedObjects pkg/controller/operconfig/operconfig_controller.go	Appends two ClusterRoleBinding static references (cluster-network-operator, default-account-cluster-network-operator) to the relatedObjects slice in Reconcile, ensuring they are included when SetRelatedObjects records status.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• jcaamano
• arghosh93

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: adding cluster-scoped RBAC resources to the network ClusterOperator relatedObjects, which matches the raw summary and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test definitions. Changes are to controller code and manifest files only, not test files. Custom check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	This PR is not a Ginkgo test change; it updates the operconfig controller to add cluster-scoped RBAC resources to relatedObjects. No Ginkgo tests are present in the modified code. Ginkgo quality re...
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The repository uses only standard Go unit tests, not Ginkgo. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The change only updates manifest and controller code to include missing cluster-scoped resources in relatedObjects. Check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR only adds entries to the ClusterOperator.Status.relatedObjects field for debugging/inspection purposes. It introduces no scheduling constraints, node selectors, affinity rules, tolerations,...
Ote Binary Stdout Contract	✅ Passed	Added code is in Reconcile() method (runtime code, not process-level), contains only data struct appends, no I/O or stdout writes.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. It only updates controller code in pkg/controller/operconfig/operconfig_controller.go to append two ClusterRoleBinding entries to relatedObjects, and...
No-Weak-Crypto	✅ Passed	The PR adds two ClusterRoleBinding references to relatedObjects in operconfig_controller.go. The changes contain only struct initialization with string literals and do not introduce any cryptograph...
Container-Privileges	✅ Passed	The PR adds cluster-scoped RBAC references to relatedObjects in controller code, not creating privileged containers. Existing deployments use: hostNetwork (justified for network operator), runAsNon...
No-Sensitive-Data-In-Logs	✅ Passed	PR adds RBAC resource references to relatedObjects with no logging of sensitive data. Only public resource names and standard Kubernetes API metadata are included.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @smulje. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: smulje
Once this PR has been reviewed and has the lgtm label, please assign abhat for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@manifests/0000_70_cluster-network-operator_05_clusteroperator.yaml`:
- Around line 10-25: The controller is overwriting
ClusterOperator.status.relatedObjects with only objects from network.Render(...)
(via pkg/controller/operconfig/operconfig_controller.go ->
r.status.SetRelatedObjects) and status_manager.set() calls
deleteRelatedObjectsNotRendered(co), which removes the three CRDs and two
ClusterRoleBindings declared in this manifest; fix by either ensuring the
computed relatedObjects (in operconfig_controller.go / network.Render) includes
the two ClusterRoleBinding names (cluster-network-operator and
default-account-cluster-network-operator) and the three CRD names
(egressrouters.network.operator.openshift.io,
operatorpkis.network.operator.openshift.io, networks.operator.openshift.io), or
modify pkg/controller/statusmanager/status_manager.go (set() /
deleteRelatedObjectsNotRendered) to merge/preserve CVO-managed relatedObjects by
adding those CRD names to keepCRDs or by changing deletion logic to union
existing co.Status.RelatedObjects with rendered status.relatedObjects for known
CVO-managed entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 44c044d7-a087-48f6-b5c7-a964b9c23d7f

📥 Commits

Reviewing files that changed from the base of the PR and between bea98c0 and eac3560.

📒 Files selected for processing (1)

• manifests/0000_70_cluster-network-operator_05_clusteroperator.yaml

[arghosh93]

/ok-to-test

[smulje]

/test e2e-aws-ovn-upgrade

[arghosh93]

I understand that all resources belonging to https://github.com/openshift/cluster-network-operator/tree/master/manifests are not being tracked at relatedObjects of network Cluster operator CR. It is logical as files in the manifests directory are supposed to be deployed and reconciled by cluster-version-operator and not CNO. So, it also does not make sense to have those in relatedObjects of network CO.

did you check whether all objects under manifest directory of CNO should be in relatedObjects of network CO? or, we only care about the objects that you added in your PR? Did you have any conversation regarding this with anyone?

[arghosh93]

Why you are adding here and also adding at operconfig_controller.go? We should never set status at the manifest I think.

[arghosh93]

we already capture this in the must-gather. is there any other reason to include it into relatedObjects?

[arghosh93]

Why do we need the CRD in relatedObjects ? we already have related operatorpkis added there.

$ oc get co network -oyaml|grep operatorpkis -3
  - group: network.operator.openshift.io
    name: ovn
    namespace: openshift-ovn-kubernetes
    resource: operatorpkis
  - group: network.operator.openshift.io
    name: signer
    namespace: openshift-ovn-kubernetes
    resource: operatorpkis

[arghosh93]

Wy this CRD is required?

[smulje]

Hi @arghosh93 Thank you for the review. You're right about the CRDs. I've removed all three of CRD and kept just the ClusterRoleBindings.

I compared the oc adm inspect clusteroperator/network output with what's actually in relatedObjects to verify this.

For operatorpkis, like you mentioned, we already have the CR instances listed When inspect collects those CRs, it can access the CRD schema anyway, so adding the CRD separately doesn't help. Same thing for the networks CRD.

The two ClusterRoleBindings are different though. I checked the actual inspect output and cluster-network-operator and default-account-cluster-network-operator are missing. These are cluster-scoped RBAC resources that don't get auto-collected . They're defined in the manifests but not being collected right now.

[openshift-ci]

@smulje: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-ovn-ipsec-step-registry	cd2ec6b	link	true	/test e2e-ovn-ipsec-step-registry
ci/prow/e2e-azure-ovn-upgrade	cd2ec6b	link	true	/test e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-rhcos10-techpreview	cd2ec6b	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/e2e-aws-ovn-upgrade-ipsec	cd2ec6b	link	true	/test e2e-aws-ovn-upgrade-ipsec
ci/prow/e2e-gcp-ovn-upgrade	cd2ec6b	link	true	/test e2e-gcp-ovn-upgrade
ci/prow/e2e-aws-ovn-upgrade	cd2ec6b	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	cd2ec6b	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	cd2ec6b	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	cd2ec6b	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade	cd2ec6b	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade
ci/prow/5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade	cd2ec6b	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade
ci/prow/5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade	cd2ec6b	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.