Skip to content

Deprecate .spec.serviceAccount Field in ClusterExtension API #2262

Closed as not planned
Task
Closed as not planned
Deprecate .spec.serviceAccount Field in ClusterExtension API#2262
Task
Assignees
rashmigottipatitrgeiger
Labels
lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
@rashmigottipati

Description

@rashmigottipati
rashmigottipati
opened on Oct 10, 2025

Description

The .spec.serviceAccount field in the ClusterExtension API is being deprecated. This field was originally introduced to enforce least privilege by requiring a user-provided ServiceAccount for managing extension content. However, due to operational complexity and limited benefit, we propose to:

  • Mark the field as optional and deprecated.
  • Update the controller to ignore this field and use its own ServiceAccount for all reconciliation.
  • Log a deprecation warning if the field is set.
  • Eventually remove the field entirely in a future update.

Motivation

The .spec.serviceAccount field was originally introduced to enable least privilege by allowing users to specify a custom ServiceAccount for reconciliation. However, this added operational complexity with token management and impersonation. Simplifying this by using the controller’s own ServiceAccount reduces complexity and centralizes permission management, providing a clearer and more maintainable security model.

Impact

  • Users relying on .spec.serviceAccount impersonation will need to ensure the controller’s ServiceAccount has appropriate permissions.
  • Any manifests using this field will see warnings and should be updated to remove it before its eventual removal.

Tasks:

  • Create enhancement proposal in openshift/enhancements repo

  • Implement code changes

    • Ignore .spec.serviceAccount in controller logic
    • Update API to mark .spec.serviceAccount as optional and deprecated
    • Remove permissions preflight checks related to serviceAccount
    • Close enhancement proposal

  • Update unit tests

    • Remove impersonation-related tests
    • Add tests to verify .spec.serviceAccount is ignored

  • Update e2e tests

    • Verify reconciliation works without .spec.serviceAccount
    • Check deprecation warnings are logged when field is set

  • Add or update upgrade test scenarios

    • Validate safe CRD schema change and field removal

Metadata

Metadata

Assignees

Labels

lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions