Deprecate .spec.serviceAccount Field in ClusterExtension API #2262
Description
Description
The .spec.serviceAccount field in the ClusterExtension API is being deprecated. This field was originally introduced to enforce least privilege by requiring a user-provided ServiceAccount for managing extension content. However, due to operational complexity and limited benefit, we propose to:
- Mark the field as optional and deprecated.
- Update the controller to ignore this field and use its own ServiceAccount for all reconciliation.
- Log a deprecation warning if the field is set.
- Eventually remove the field entirely in a future update.
Motivation
The .spec.serviceAccount field was originally introduced to enable least privilege by allowing users to specify a custom ServiceAccount for reconciliation. However, this added operational complexity with token management and impersonation. Simplifying this by using the controller’s own ServiceAccount reduces complexity and centralizes permission management, providing a clearer and more maintainable security model.
Impact
- Users relying on .spec.serviceAccount impersonation will need to ensure the controller’s ServiceAccount has appropriate permissions.
- Any manifests using this field will see warnings and should be updated to remove it before its eventual removal.
Tasks:
-
Create enhancement proposal in openshift/enhancements repo
-
Implement code changes
- Ignore
.spec.serviceAccountin controller logic - Update API to mark
.spec.serviceAccountas optional and deprecated - Remove permissions preflight checks related to serviceAccount
- Close enhancement proposal
- Ignore
-
Update unit tests
- Remove impersonation-related tests
- Add tests to verify
.spec.serviceAccountis ignored
-
Update e2e tests
- Verify reconciliation works without
.spec.serviceAccount - Check deprecation warnings are logged when field is set
- Verify reconciliation works without
-
Add or update upgrade test scenarios
- Validate safe CRD schema change and field removal