OCPCLOUD-3347: Add RBAC for machine-approver to read APIServer TLS profile

[bryan-cox]

Summary

Add cluster-scoped RBAC for the machine-approver to read apiservers.config.openshift.io, required after openshift/cluster-machine-approver PR #286 introduced FetchAPIServerTLSProfile().

Problem

The cluster-machine-approver binary now calls FetchAPIServerTLSProfile() at startup using its in-cluster (management cluster) client, which reads apiservers.config.openshift.io/cluster. HyperShift's existing machine-approver RBAC is a namespace-scoped Role granting only cluster.x-k8s.io/machines access. Since apiservers is cluster-scoped, the machine-approver crashes with:

unable to get TLS profile from API server: failed to get APIServer "/cluster": apiservers.config.openshift.io "cluster" is forbidden

This breaks all HyperShift e2e tests using 4.22 CI nightlies built after 2026-02-25T08:01Z (evidence).

Changes

• reconcileMachineApproverClusterRBAC in the HostedCluster controller: creates a ClusterRole and ClusterRoleBinding (named <hcp-namespace>-machine-approver) granting get, list, watch on apiservers in config.openshift.io
• DisableMachineManagement guard: skips RBAC creation when the annotation is set, matching the CPO's machine-approver component predicate
• MachineApproverServiceAccount helper: new cpomanifests.MachineApproverServiceAccount() for consistency with PKIOperatorServiceAccount() and KubevirtCSIDriverInfraSA()

Follows the existing pattern used by the PKI operator and KubeVirt CSI driver for cluster-scoped RBAC created by the hypershift-operator (since the CPO lacks cluster-scoped permissions).

Test plan

• Verify unit tests pass
• Verify e2e tests pass with a 4.22 CI nightly containing the new cluster-machine-approver

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Automatic cluster-level RBAC is now configured for the machine-approver during HostedCluster reconciliation, including role and binding creation and improved error reporting.
  • A machine-approver ServiceAccount is now defined and referenced so the component can be granted the needed permissions.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Walkthrough

Adds RBAC reconciliation for the machine-approver: hostedcluster controller now ensures a ClusterRole and ClusterRoleBinding granting get/list/watch on config.openshift.io/apiservers to the machine-approver ServiceAccount in the HostedControlPlane namespace; also adds a helper to construct that ServiceAccount object.

Changes

Cohort / File(s)	Summary
HostedCluster RBAC Reconcile hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go	Added reconcileMachineApproverClusterRBAC to create/ensure a ClusterRole and ClusterRoleBinding for the machine-approver ServiceAccount; invoked during HostedCluster reconciliation and gated by the DisableMachineManagement annotation.
Machine-Approver ServiceAccount manifest control-plane-operator/controllers/hostedcontrolplane/manifests/machineapprover.go	Added MachineApproverServiceAccount(ns string) *corev1.ServiceAccount helper that returns a machine-approver ServiceAccount object scoped to the given namespace.

Sequence Diagram(s)

sequenceDiagram
    participant HC as HostedCluster Reconciler
    participant K8s as Kubernetes API (RBAC)
    participant HCP as HostedControlPlane namespace / ServiceAccount

    HC->>HC: check DisableMachineManagement annotation
    alt machine management enabled
        HC->>K8s: Ensure ClusterRole (get/list/watch apiservers)
        K8s-->>HC: ClusterRole created/updated
        HC->>K8s: Ensure ClusterRoleBinding -> subject: SA in HCP
        K8s-->>HC: ClusterRoleBinding created/updated
        note right of HCP: ServiceAccount referenced (may be created elsewhere)
    else disabled
        HC-->>HC: skip RBAC reconciliation
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (1 warning, 2 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Stable And Deterministic Test Names	❓ Inconclusive	No shell command execution environment available for verification	Unable to verify test declarations or implementation details without access to file system
Test Structure And Quality	❓ Inconclusive	The shell commands provided attempt to inspect Go source files and git diffs, but no actual verification output or file contents were provided to analyze.	Provide actual file contents or command output results to verify the implementation of machineapprover.go and related test coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding RBAC for the machine-approver component to read APIServer TLS profile, which aligns with the core functionality added in the reconcileMachineApproverClusterRBAC method.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@bryan-cox: This pull request references OCPCLOUD-3347 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

Add cluster-scoped RBAC for the machine-approver to read apiservers.config.openshift.io, required after openshift/cluster-machine-approver PR #286 introduced FetchAPIServerTLSProfile().

Problem

The cluster-machine-approver binary now calls FetchAPIServerTLSProfile() at startup using its in-cluster (management cluster) client, which reads apiservers.config.openshift.io/cluster. HyperShift's existing machine-approver RBAC is a namespace-scoped Role granting only cluster.x-k8s.io/machines access. Since apiservers is cluster-scoped, the machine-approver crashes with:

unable to get TLS profile from API server: failed to get APIServer "/cluster": apiservers.config.openshift.io "cluster" is forbidden

This breaks all HyperShift e2e tests using 4.22 CI nightlies built after 2026-02-25T08:01Z (evidence).

Changes

• reconcileMachineApproverClusterRBAC in the HostedCluster controller: creates a ClusterRole and ClusterRoleBinding (named <hcp-namespace>-machine-approver) granting get, list, watch on apiservers in config.openshift.io
• DisableMachineManagement guard: skips RBAC creation when the annotation is set, matching the CPO's machine-approver component predicate
• MachineApproverServiceAccount helper: new cpomanifests.MachineApproverServiceAccount() for consistency with PKIOperatorServiceAccount() and KubevirtCSIDriverInfraSA()

Follows the existing pattern used by the PKI operator and KubeVirt CSI driver for cluster-scoped RBAC created by the hypershift-operator (since the CPO lacks cluster-scoped permissions).

Test plan

• Verify unit tests pass
• Verify e2e tests pass with a 4.22 CI nightly containing the new cluster-machine-approver

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@bryan-cox: This pull request references OCPCLOUD-3347 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

Add cluster-scoped RBAC for the machine-approver to read apiservers.config.openshift.io, required after openshift/cluster-machine-approver PR #286 introduced FetchAPIServerTLSProfile().

Problem

The cluster-machine-approver binary now calls FetchAPIServerTLSProfile() at startup using its in-cluster (management cluster) client, which reads apiservers.config.openshift.io/cluster. HyperShift's existing machine-approver RBAC is a namespace-scoped Role granting only cluster.x-k8s.io/machines access. Since apiservers is cluster-scoped, the machine-approver crashes with:

unable to get TLS profile from API server: failed to get APIServer "/cluster": apiservers.config.openshift.io "cluster" is forbidden

This breaks all HyperShift e2e tests using 4.22 CI nightlies built after 2026-02-25T08:01Z (evidence).

Changes

• reconcileMachineApproverClusterRBAC in the HostedCluster controller: creates a ClusterRole and ClusterRoleBinding (named <hcp-namespace>-machine-approver) granting get, list, watch on apiservers in config.openshift.io
• DisableMachineManagement guard: skips RBAC creation when the annotation is set, matching the CPO's machine-approver component predicate
• MachineApproverServiceAccount helper: new cpomanifests.MachineApproverServiceAccount() for consistency with PKIOperatorServiceAccount() and KubevirtCSIDriverInfraSA()

Follows the existing pattern used by the PKI operator and KubeVirt CSI driver for cluster-scoped RBAC created by the hypershift-operator (since the CPO lacks cluster-scoped permissions).

Test plan

• Verify unit tests pass
• Verify e2e tests pass with a 4.22 CI nightly containing the new cluster-machine-approver

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
• Automatic cluster-level RBAC is now configured for the machine-approver during HostedCluster reconciliation, including role and binding creation and improved error reporting.
• A machine-approver ServiceAccount is now defined and referenced so the component can be granted the needed permissions.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

control-plane-operator/controllers/hostedcontrolplane/manifests/machineapprover.go (1)

8-15: LGTM — consider extracting the name literal as a package-level constant.

The helper is correctly minimal and follows the established manifest-helper pattern in this package. Optionally, extracting "machine-approver" as a named constant would keep all references (ClusterRole/ClusterRoleBinding name prefix, RBAC subject, service-account name) consistent and refactor-safe. Note that a duplicate constant ComponentName = "machine-approver" already exists in control-plane-operator/controllers/hostedcontrolplane/v2/machine_approver/component.go; consolidating by defining the constant in the manifests package and having the component reference it would eliminate duplication.

♻️ Proposed optional refactor

 package manifests

 import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

+const MachineApproverName = "machine-approver"
+
 func MachineApproverServiceAccount(ns string) *corev1.ServiceAccount {
 	return &corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "machine-approver",
+			Name:      MachineApproverName,
 			Namespace: ns,
 		},
 	}
 }

Then reference manifests.MachineApproverName wherever "machine-approver" appears, and update v2/machine_approver/component.go to import and use the constant from manifests to eliminate duplication.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@control-plane-operator/controllers/hostedcontrolplane/manifests/machineapprover.go`
around lines 8 - 15, Extract the literal "machine-approver" into a package-level
constant (e.g., MachineApproverName) in the manifests package and replace the
literal in MachineApproverServiceAccount (and any other manifest helpers in the
same package) with that constant; then update
control-plane-operator/controllers/hostedcontrolplane/v2/machine_approver/component.go
to import the manifests package and use manifests.MachineApproverName instead of
its local ComponentName to eliminate the duplicate constant and keep
ClusterRole/ClusterRoleBinding names, RBAC subjects, and service-account name
consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/manifests/machineapprover.go`:
- Around line 8-15: Extract the literal "machine-approver" into a package-level
constant (e.g., MachineApproverName) in the manifests package and replace the
literal in MachineApproverServiceAccount (and any other manifest helpers in the
same package) with that constant; then update
control-plane-operator/controllers/hostedcontrolplane/v2/machine_approver/component.go
to import the manifests package and use manifests.MachineApproverName instead of
its local ComponentName to eliminate the duplicate constant and keep
ClusterRole/ClusterRoleBinding names, RBAC subjects, and service-account name
consistent.

---

ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7719314 and e3662b5.

📒 Files selected for processing (2)

• control-plane-operator/controllers/hostedcontrolplane/manifests/machineapprover.go
• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

🚧 Files skipped from review as they are similar to previous changes (1)

• hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go

[openshift-ci]

@bryan-cox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	e3662b5	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sjenning]

This was the issue openshift/cluster-machine-approver#286 (review)