UPSTREAM: <carry>: Remove handler SA permissions from CSV

Since 2e8c06a the permissions for the handler service account are all defined in the operator code, so there is no need anymore to define OpenShift specific permissions in the CSV or for e2e tests anymore. Signed-off-by: Christoph Stäbler <cstabler@redhat.com> (cherry picked from commit 0412ecb) (cherry picked from commit d4593c6) (cherry picked from commit ce44af5) Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com> (cherry picked from commit d0e95b8) Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com> (cherry picked from commit 1edae0a) Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com>
openshift-networking · Apr 25, 2023 · 16b0007 · 16b0007
1 parent 3a1b138
commit 16b0007
Show file tree

Hide file tree

Showing 4 changed files with 1 addition and 18 deletions.
diff --git a/cluster/sync-operator.sh b/cluster/sync-operator.sh
@@ -19,10 +19,6 @@ function deploy_operator() {
     $kubectl apply -f $MANIFESTS_DIR/role_binding.yaml
     $kubectl apply -f deploy/crds/nmstate.io_nmstates.yaml
     $kubectl apply -f $MANIFESTS_DIR/operator.yaml
-
-    if isOpenshift; then
-        $kubectl apply -f $MANIFESTS_DIR/scc.yaml
-    fi
 }
 
 function wait_ready_operator() {

diff --git a/hack/ocp-update-bundle-manifests.sh b/hack/ocp-update-bundle-manifests.sh
@@ -57,9 +57,6 @@ BUNDLE_DIR=${BUNDLE_DIR} MANIFEST_BASES_DIR=${MANIFEST_BASES_DIR} make bundle
 # add the cluster permissions to use the privileged security context constraint to the nmstate-operator SA in the CSV
 $(yq4) --inplace eval '.spec.install.spec.clusterPermissions[] |= select(.rules[]) |= select(.serviceAccountName == "nmstate-operator").rules += {"apiGroups":["security.openshift.io"],"resources":["securitycontextconstraints"],"verbs":["use"],"resourceNames":["privileged"]}' ${BUNDLE_DIR}/manifests/kubernetes-nmstate-operator.clusterserviceversion.yaml
 
-# add the permissions to use the privileged security context constraint to the nmstate-handler SA in the CSV
-$(yq4) --inplace eval '.spec.install.spec.permissions += {"rules":[{"apiGroups":["security.openshift.io"],"resources":["securitycontextconstraints"],"verbs":["use"],"resourceNames":["privileged"]}],"serviceAccountName":"nmstate-handler"}' ${BUNDLE_DIR}/manifests/kubernetes-nmstate-operator.clusterserviceversion.yaml
-
 # remove unneeded owned CRDs in CSV / use only NMState v1 CRD
 $(yq4) --inplace eval '.spec.customresourcedefinitions.owned |= [{"kind":"NMState","name":"nmstates.nmstate.io","version":"v1","description":"Represents an NMState deployment.","displayName":"NMState"}]' ${BUNDLE_DIR}/manifests/kubernetes-nmstate-operator.clusterserviceversion.yaml
 

diff --git a/manifests/4.12/manifests/kubernetes-nmstate-operator.clusterserviceversion.yaml b/manifests/4.12/manifests/kubernetes-nmstate-operator.clusterserviceversion.yaml
@@ -265,16 +265,6 @@ spec:
               verbs:
                 - '*'
           serviceAccountName: nmstate-operator
-        - rules:
-            - apiGroups:
-                - security.openshift.io
-              resources:
-                - securitycontextconstraints
-              verbs:
-                - use
-              resourceNames:
-                - privileged
-          serviceAccountName: nmstate-handler
     strategy: deployment
   installModes:
     - supported: true

diff --git a/test/e2e/operator/operator.go b/test/e2e/operator/operator.go
@@ -145,7 +145,7 @@ func InstallOperator(operator TestData) {
 		_, err = cmd.Kubectl("apply", "-f", operator.ManifestsDir+manifest)
 		Expect(err).ToNot(HaveOccurred())
 	}
-	cmd.Kubectl("apply", "-f", fmt.Sprintf("%s/scc.yaml", operator.ManifestsDir)) //ignore the error to be able to run the test against none OCP clusters as well
+
 	deployment.GetEventually(types.NamespacedName{Namespace: operator.Ns, Name: "nmstate-operator"}).Should(deployment.BeReady())
 }