Fix gcr-io CronJob SA field: serviceAccount → serviceAccountName

[petr-muller]

Summary

Follow-up to #79380: all 8 CronJobs introduced there used serviceAccount in the pod spec, but Kubernetes honors serviceAccountName — the serviceAccount field is deprecated and silently ignored. This means the CronJobs were still running as the default SA rather than the build-trigger SA, so the RBAC fix in #79380 had no effect.

Renames the field in all 8 files (boskos, checkconfig, cleaner, commenter, gcsweb, git, label-sync, reaper).

Test plan

• Verify CronJob pods run as build-trigger SA after merge (check oc get pod -o yaml for serviceAccountName)
• Verify oc start-build succeeds from a manually triggered Job

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Fix incorrect CronJob service account field name

This PR corrects a field name issue in eight CronJob manifests (boskos, checkconfig, cleaner, commenter, gcsweb, git, label-sync, and reaper) in the gcr-io namespace of the OpenShift CI infrastructure.

The Issue

The CronJobs were using the deprecated serviceAccount field instead of the correct serviceAccountName field in their pod specifications. Kubernetes ignores the deprecated field, causing these CronJobs to run under the default service account instead of the intended build-trigger service account that was introduced in PR #79380.

The Fix

All eight CronJob manifests have been updated to replace serviceAccount: build-trigger with serviceAccountName: build-trigger, ensuring the pods will run with the correct permissions and identity.

Impact

This fix restores the intended RBAC configuration for the gcr-io build trigger jobs. After this merge, the CronJobs will properly authenticate and authorize using the build-trigger service account, which should enable build-related operations (like oc start-build) that depend on these permissions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fffa56ec-599d-4ac7-8235-f19262e3e21c

📥 Commits

Reviewing files that changed from the base of the PR and between 6309cdd and eba0241.

📒 Files selected for processing (8)

• clusters/app.ci/supplemental-ci-images/gcr-io/boskos.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/checkconfig.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/cleaner.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/commenter.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/gcsweb.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/git.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/label-sync.yaml
• clusters/app.ci/supplemental-ci-images/gcr-io/reaper.yaml

---

Walkthrough

Eight CronJob manifests in clusters/app.ci/supplemental-ci-images/gcr-io/ are updated to standardize their service account field references. Each manifest replaces the deprecated serviceAccount field with the correct Kubernetes serviceAccountName field in its pod template specification, all referencing the same build-trigger service account.

Changes

Service Account Field Standardization

Layer / File(s)	Summary
CronJob service account field rename clusters/app.ci/supplemental-ci-images/gcr-io/boskos.yaml, checkconfig.yaml, cleaner.yaml, commenter.yaml, gcsweb.yaml, git.yaml, label-sync.yaml, reaper.yaml	Eight CronJob pod templates updated from serviceAccount: build-trigger to serviceAccountName: build-trigger, correcting the field name to match Kubernetes API specifications.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

lgtm, approved

Suggested reviewers

• droslean
• josephca

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the main change: fixing the serviceAccount field to serviceAccountName across gcr-io CronJob manifests.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains only YAML Kubernetes manifest changes (8 CronJob config files) with no Ginkgo test code; the check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	The PR contains only YAML manifest configuration changes (serviceAccount → serviceAccountName), not Ginkgo test code. The check is not applicable.
Microshift Test Compatibility	✅ Passed	PR modifies only Kubernetes manifest YAML files (8 CronJob specs), not Ginkgo e2e tests. No test additions found; custom check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only Kubernetes/OpenShift YAML manifest files for CronJob configurations, not Ginkgo e2e tests. The custom check applies only when new tests are added; no test code is present.
Topology-Aware Scheduling Compatibility	✅ Passed	The PR renames serviceAccount to serviceAccountName in 8 CronJob YAMLs without introducing any topology-sensitive scheduling constraints, affinity rules, or node targeting.
Ote Binary Stdout Contract	✅ Passed	PR only modifies YAML configuration files (serviceAccount→serviceAccountName field renames in CronJob specs), contains no Go code, binary code, or stdout writes that would violate OTE stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR modifies only Kubernetes manifest files (YAML), not Ginkgo e2e tests. The custom check applies to new e2e tests, which are not present in this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@petr-muller: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

[openshift-ci]

@petr-muller: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: droslean, petr-muller

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• clusters/app.ci/supplemental-ci-images/OWNERS [droslean]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment