fix(rbac): implement registry rolebinding finalization for OpenShift

[danielpenad]

Closes #1640

What does this PR do?

This PR fixes an OpenShift-specific RBAC leak in the shared registry image-puller RoleBinding.

When a DevWorkspace is deleted, the operator now cleans up its ServiceAccount from:

devworkspace-registry-image-puller-<namespace>-binding

If there are no remaining non-deleted DevWorkspaces in the namespace, the shared RoleBinding is deleted entirely. The fix only affects the OpenShift system:image-puller RoleBinding cleanup path and does not change the existing default workspace RBAC or SCC RBAC behavior.

What issues does this PR fix or reference?

Fixes the shared OpenShift registry image-puller RoleBinding subject leak described in:

• OpenShift registry image-puller RoleBinding keeps deleted workspace ServiceAccounts #1640

Related issues:

• Leaking SCC related Roles and RolesBinding #1512

Is it tested? How?

Yes.

Local validation:

• go test ./pkg/provision/workspace/rbac
• make test

Live validation on OpenShift (Already done by me):

1. Built a custom image locally with this fix.
2. Pushed the image to our registry.
3. Updated devworkspace-controller-manager to use the custom image.
4. Ran live verification by creating and deleting DevWorkspaces on OpenShift.
5. Confirmed the deleted workspace ServiceAccount is removed from devworkspace-registry-image-puller-<namespace>-binding.
6. Confirmed the shared RoleBinding is deleted when the last remaining DevWorkspace in the namespace is finalized.

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• Bug Fixes

  • Improved cleanup of the registry image-puller RoleBinding on OpenShift: removes workspace service accounts correctly when other workspaces remain and deletes the RoleBinding when the last workspace is removed.

• Tests

  • Added tests covering OpenShift registry image-puller RoleBinding scenarios: removal of a single workspace SA, deletion when last workspace is removed, and no-op when RoleBinding is absent.

[openshift-ci]

Hi @danielpenad. Thanks for your PR.

I'm waiting for a devfile member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6d30dd2d-5c81-48be-944a-1371e2897538

📥 Commits

Reviewing files that changed from the base of the PR and between fbacf7b and 30866a6.

📒 Files selected for processing (2)

• pkg/provision/workspace/rbac/finalize.go
• pkg/provision/workspace/rbac/finalize_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/provision/workspace/rbac/finalize.go
• pkg/provision/workspace/rbac/finalize_test.go

---

📝 Walkthrough

Walkthrough

Adds OpenShift-specific cleanup for the shared registry image-puller RoleBinding during workspace finalization: when no non-deleted workspaces remain the RoleBinding is deleted; otherwise the finalized workspace's ServiceAccount is removed. Includes three tests covering removal, deletion, and missing-RoleBinding cases.

Changes

Registry RBAC Finalization

Layer / File(s)	Summary
Registry RBAC cleanup implementation pkg/provision/workspace/rbac/finalize.go	Imports infrastructure, modifies FinalizeRBAC to call finalizeRegistryRBAC on OpenShift, and adds finalizeRegistryRBAC which counts non-deleted workspaces and either deletes the registry image-puller RoleBinding or removes the workspace ServiceAccount from its subjects.
Registry RBAC finalization tests pkg/provision/workspace/rbac/finalize_test.go	Three OpenShift v4 tests validate registry image-puller RoleBinding behavior: removing the finalized workspace ServiceAccount when others remain, deleting the RoleBinding when the last workspace is deleted, and doing nothing if the RoleBinding is absent. Adds newRegistryImagePullerRolebinding test helper.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• OpenShift registry image-puller RoleBinding keeps deleted workspace ServiceAccounts #1640: Implements the OpenShift registry image-puller RoleBinding finalization described in the issue.

Suggested labels

lgtm, approved

Suggested reviewers

• ibuziuk
• rohanKanojia
• akurinnoy
• btjd
• dkwon17

Poem

🐰 A rabbit hops through code with cheer,
Cleaning bindings far and near.
On OpenShift nights the subjects fall away,
Leaving tidy RBAC for a brighter day. 🎋

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: implementing registry rolebinding finalization for OpenShift, which directly addresses the bug described in the PR objectives.
Linked Issues check	✅ Passed	The code changes fully address all requirements from issue #1640: removing workspace ServiceAccounts from the shared registry image-puller RoleBinding during finalization, deleting it when no non-deleted workspaces remain, reusing existing helpers, and including comprehensive test coverage.
Out of Scope Changes check	✅ Passed	All changes are scoped to the finalize.go and finalize_test.go files and directly implement the requirements from issue #1640 without introducing unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/provision/workspace/rbac/finalize.go (1)

16-24: ⚡ Quick win

Organize imports per project guidelines.

The imports are not organized according to the coding guideline, which requires three groups: (1) standard library, (2) third-party + Kubernetes, (3) project-local. Currently they are organized as project-local first, then Kubernetes, then third-party.

Run make fmt to automatically enforce the correct import organization. As per coding guidelines, imports should be organized with third-party and Kubernetes libraries before project-local imports.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/provision/workspace/rbac/finalize.go` around lines 16 - 24, Reorder the
import block in finalize.go to follow project guidelines: group standard library
imports first (none here), then third-party and Kubernetes imports (e.g.,
"sigs.k8s.io/controller-runtime/pkg/client" and "github.com/devfile/api/v2/..."
if treated as third-party), and finally project-local imports
("github.com/devfile/devworkspace-operator/pkg/common", ".../pkg/constants",
".../pkg/infrastructure", ".../pkg/provision/sync"); after rearranging, run make
fmt to enforce the correct import grouping and formatting.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/provision/workspace/rbac/finalize.go`:
- Around line 16-24: Reorder the import block in finalize.go to follow project
guidelines: group standard library imports first (none here), then third-party
and Kubernetes imports (e.g., "sigs.k8s.io/controller-runtime/pkg/client" and
"github.com/devfile/api/v2/..." if treated as third-party), and finally
project-local imports ("github.com/devfile/devworkspace-operator/pkg/common",
".../pkg/constants", ".../pkg/infrastructure", ".../pkg/provision/sync"); after
rearranging, run make fmt to enforce the correct import grouping and formatting.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e04e5dca-8487-4ff3-9ee8-57536f10a549

📥 Commits

Reviewing files that changed from the base of the PR and between ec6de18 and fbacf7b.

📒 Files selected for processing (2)

• pkg/provision/workspace/rbac/finalize.go
• pkg/provision/workspace/rbac/finalize_test.go

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: danielpenad, rohanKanojia
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rohanKanojia]

Tested and works as expected :

 oc get rolebinding devworkspace-registry-image-puller-openshift-operators-binding -o yaml                                                                              ─╯
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2026-06-09T12:04:07Z"
  labels:
    app.kubernetes.io/name: devworkspace-workspaces
    app.kubernetes.io/part-of: devworkspace-operator
    controller.devfile.io/workspace-rbac: "true"
  name: devworkspace-registry-image-puller-openshift-operators-binding
  namespace: openshift-operators
  resourceVersion: "74864"
  uid: 04263ce0-f08a-4fa6-92b1-9de51cece2ee
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:image-puller
subjects:
- kind: ServiceAccount
  name: workspace0309dc29a88041a0-sa
  namespace: openshift-operators
- kind: ServiceAccount
  name: workspace27795148ecc546e7-sa
  namespace: openshift-operators
 dw                                                                                                                                                                     ─╯
NAMESPACE             NAME            DEVWORKSPACE ID             PHASE     INFO
openshift-operators   code-latest     workspace0309dc29a88041a0   Running   https://workspace0309dc29a88041a0.apps-crc.testing/che-code/
openshift-operators   code-latest-2   workspace27795148ecc546e7   Running   https://workspace27795148ecc546e7.apps-crc.testing/che-code/
╭─      ~/go/src/github.com/devfile/devworkspace-operator   pullRequest1641 ≢  ?9 ~1  39                                            1.26.2     18:07:20  ─╮
╰─ oc delete dw code-latest                                                                                                                                               ─╯
devworkspace.workspace.devfile.io "code-latest" deleted
╭─      ~/go/src/github.com/devfile/devworkspace-operator   pullRequest1641 ≢  ?9 ~1  39                                 1.26.2   8.338s     18:07:47  ─╮
╰─ oc get rolebinding devworkspace-registry-image-puller-openshift-operators-binding -o yaml                                                                              ─╯
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2026-06-09T12:04:07Z"
  labels:
    app.kubernetes.io/name: devworkspace-workspaces
    app.kubernetes.io/part-of: devworkspace-operator
    controller.devfile.io/workspace-rbac: "true"
  name: devworkspace-registry-image-puller-openshift-operators-binding
  namespace: openshift-operators
  resourceVersion: "75108"
  uid: 04263ce0-f08a-4fa6-92b1-9de51cece2ee
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:image-puller
subjects:
- kind: ServiceAccount
  name: workspace27795148ecc546e7-sa
  namespace: openshift-operators
oc get dw                                                                                                                                                                     ─╯
NAMESPACE             NAME            DEVWORKSPACE ID             PHASE     INFO
openshift-operators   code-latest-2   workspace27795148ecc546e7   Running   https://workspace27795148ecc546e7.apps-crc.testing/che-code/
╭─      ~/go/src/github.com/devfile/devworkspace-operator   pullRequest1641 ≢  ?9 ~1  39                                            1.26.2     18:08:07  ─╮
╰─ oc delete dw code-latest-2                                                                                                                                             ─╯
devworkspace.workspace.devfile.io "code-latest-2" deleted

[rohanKanojia]

/che-ai-assistant ok-pr-review

Review is complete. Please check the review comments below.

[tolusha]

Review Summary

This PR correctly fixes the OpenShift registry image-puller RoleBinding leak described in #1640. The implementation mirrors the existing finalizeSCCRBAC pattern, has strong test coverage, and handles edge cases properly. The design is sound and the RBAC security implications have been carefully considered.

Verdict: ✅ Approve - Ready to merge with two non-blocking suggestions below.

Suggestions

1. Document migration path for pre-existing leaked subjects

The fix prevents future RBAC leaks but won't clean up pre-existing stale subjects in clusters already affected by the bug. The linked issue mentions production RoleBindings with 21K+ stale ServiceAccount subjects.

Consider adding a note to the PR description or issue #1640 about manual remediation for affected clusters. For example:

Migration note: This fix prevents future leaks. For clusters with existing stale subjects, administrators can manually clean up affected RoleBindings:

oc edit rolebinding devworkspace-registry-image-puller-<namespace>-binding -n <namespace>
# Remove subjects referencing non-existent ServiceAccounts

Alternatively, a follow-up issue could track a one-time cleanup controller or script.

2. Add test for Kubernetes no-op behavior

The three new tests all use infrastructure.InitializeForTesting(infrastructure.OpenShiftv4) to verify OpenShift-specific cleanup. Consider adding a test that verifies FinalizeRBAC on Kubernetes does NOT interact with registry RoleBindings, to guard against regressions where the IsOpenShift() gate is accidentally removed.

Positive Observations

• Clean, focused fix that follows existing patterns
• Strong test assertions with two-layer error checking
• Proper use of existing helpers (countNonDeletedWorkspaces, deleteRolebinding, removeServiceAccountFromRolebinding)
• Control flow refactoring correctly ensures registry cleanup runs after default RBAC cleanup
• Idempotent operations safe for concurrent deletions

---

Review generated by Claude Code with /ok-pr-review