allow cluster-version-operator sa to update cvo

[bmeng]

Address the 4.22 cvo updating issue

Summary by CodeRabbit

• New Features

  • Enhanced authorization policies for cluster version management operators to perform required cluster updates.
  • Added support for managed upgrade operator service account permissions.

• Tests

  • Added test coverage to verify cluster version operator and managed upgrade operator permissions for cluster version updates.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9d3d0393-9aa1-4a19-a96e-6dc0516d5330

📥 Commits

Reviewing files that changed from the base of the PR and between 329b941 and cab8d00.

📒 Files selected for processing (2)

• pkg/webhooks/regularuser/common/regularuser.go
• pkg/webhooks/regularuser/common/regularuser_test.go

---

Walkthrough

Adds the openshift-cluster-version/cluster-version-operator service account to the cluster version users allowlist in webhook authorization logic, enabling it to manage ClusterVersion resources. Corresponding test cases verify that both this account and the managed-upgrade-operator service account are authorized to perform update operations on clusterversions.

Changes

Cohort / File(s)	Summary
Authorization Allowlist Update pkg/webhooks/regularuser/common/regularuser.go	Adds openshift-cluster-version/cluster-version-operator service account to clusterVersionUsers allowlist for webhook authorization.
Test Coverage pkg/webhooks/regularuser/common/regularuser_test.go	Adds two new test scenarios to TestSubjectPermissionsClusterVersions validating that cluster-version-operator and managed-upgrade-operator service accounts are permitted to perform update operations on clusterversions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	Custom check designed for Ginkgo test code review, but pull request contains standard Go testing with testing.T, not Ginkgo framework.	Clarify whether check should evaluate standard Go testing patterns and Ginkgo tests, or only Ginkgo-based tests.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding cluster-version-operator serviceaccount to the allowlist for ClusterVersion resource updates.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test names added are static and deterministic with no dynamic patterns like UUIDs, timestamps, or generated identifiers.
Microshift Test Compatibility	✅ Passed	The pull request does not add new Ginkgo e2e tests; it adds test cases to an existing standard Go unit test function without Ginkgo patterns.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The pull request adds standard Go unit tests to a validating webhooks framework that test authorization logic for specific service accounts, with no cluster topology or infrastructure-level assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only webhook validation logic for ClusterVersion updates with no impact on scheduling constraints or topology-aware configurations.
Ote Binary Stdout Contract	✅ Passed	PR changes add a serviceaccount to an allowlist and test cases; no stdout writes detected in process-level code.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only Go unit tests to regularuser_test.go, not Ginkgo e2e tests, so the IPv4/external connectivity check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[feichashao]

Context:

Since 4.22, CVO uses dedicated SAs instead of default.

[openshift-ci]

@bmeng: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[feichashao]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bmeng, feichashao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bmeng,feichashao]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment