[ROSAENG-963] fix: Prevent customer CREATE of ServiceAccounts in managed namespaces

[xiaoyu74]

Background

• The ServiceAccount validating webhook currently registers only DELETE operations for protected managed namespaces.
• This creates an inconsistent lifecycle policy: customers can create ServiceAccounts in managed namespaces but may not be able to delete them later, leaving orphaned resources.
• PR #497 previously added default to exceptionNamespaces so customer-managed ServiceAccounts there remain creatable and deletable. This change preserves that existing behavior.

What

• Register both CREATE and DELETE operations for the ServiceAccount webhook.
• Deny customer CREATE requests and keep the existing DELETE behavior in protected managed namespaces.

Other highlights for reviewers

• Regenerated the Classic SelectorSyncSet manifest and the HyperShift Package Operator resource bundle, so both deployment paths now include the updated CREATE and DELETE webhook operations.
• The generated webhook documentation has also been refreshed to match the new behavior.
• More Context: ROSAENG-963

Validation in Staging

Test env

Cluster ID: 2qntit1spoe0udi9ss08qbb12g63ong2
Cluster Name: shawn-dev-classic
Version: 4.21.17

with this PR

• self-build image based on this PR

oc -n openshift-validation-webhook get daemonset validation-webhook -o jsonpath='{.spec.template.spec.containers[0].image}{"\n"}'

quay.io/sbai_openshift/managed-cluster-validating-webhooks:mcvw-shawn-test-358f581

• validatingwebhookconfiguration

oc get validatingwebhookconfiguration sre-serviceaccount-validation -o jsonpath='{.webhooks[0].rules[0].operations}{"\n"}' 

The webhook registration changed from:
["DELETE"]

to:

["CREATE", "DELETE"]

E2E Test

• self-created htpasswd IDP to simulate a normal user as customer

KUBECONFIG="${CUSTOMER_KUBECONFIG}" oc whoami
mcvw-shawn-test-user

echo ${PROTECTED_NS}                                                                                                                            SIGINT 
openshift-ingress-operator

KUBECONFIG="${CUSTOMER_KUBECONFIG}" oc auth can-i create serviceaccounts -n "${PROTECTED_NS}" 
yes

• Customer CREATE and DELETE remain allowed in the default namespace, preserving the exception introduced by PR allow the delete any service account in default ns #497

KUBECONFIG="${CUSTOMER_KUBECONFIG}" oc -n default create serviceaccount mcvw-shawn-test-create-allowed --dry-run=server                        SIGINT 
serviceaccount/mcvw-shawn-test-create-allowed created (server dry run)

KUBECONFIG="${CUSTOMER_KUBECONFIG}" oc -n default delete serviceaccount mcvw-shawn-test-create-allowed --dry-run=server
serviceaccount "mcvw-shawn-test-create-allowed" deleted from default namespace (server dry run)

• Customer CREATE is denied by the admission webhook in the protected openshift-ingress-operator namespace

KUBECONFIG="${CUSTOMER_KUBECONFIG}" oc -n "${PROTECTED_NS}" create serviceaccount mcvw-shawn-test-create-denied --dry-run=server

error: failed to create serviceaccount: admission webhook "serviceaccount-validation.managed.openshift.io" denied the request: Creating service accounts in managed namespace openshift-ingress-operator is not allowed

• Existing customer DELETE protection remains unchanged in protected managed namespaces

KUBECONFIG="${CUSTOMER_KUBECONFIG}" oc -n "${PROTECTED_NS}" delete serviceaccount ingress-operator --dry-run=server
Error from server (Forbidden): admission webhook "serviceaccount-validation.managed.openshift.io" denied the request: Deleting protected service account under namespace openshift-ingress-operator is not allowed

Validation on ROSA HCP

• The HyperShift Package Operator resource bundle has also been regenerated with make package and includes both CREATE and DELETE operations for sre-serviceaccount-validation.

yq eval '                                                                                                                                            1 
  select(
    .kind == "ValidatingWebhookConfiguration"
    and .metadata.name == "sre-serviceaccount-validation"
  )
  | .webhooks[0].rules[0].operations
' config/package/resources.yaml.gotmpl
- CREATE
- DELETE

• ROSA HCP runtime validation can be completed in staging after merge this PR through the standard PKO rollout path.

[coderabbitai]

Walkthrough

This PR extends the managed cluster service account validation webhook to intercept and enforce restrictions on both CREATE and DELETE operations, rather than DELETE-only. The implementation updates webhook rules, adds authorization checks for CREATE requests, modifies object decoding logic, includes test coverage, and updates deployment manifests and comprehensive webhook documentation.

Changes

Service Account Webhook CREATE Validation

Layer / File(s)	Summary
Service account webhook CREATE implementation pkg/webhooks/serviceaccount/serviceaccount.go, pkg/webhooks/serviceaccount/serviceaccount_test.go	Webhook rules now intercept CREATE operations; authorization logic blocks CREATE in protected namespaces for non-allowed users; object decoding selects OldObject for DELETE and incoming Object for CREATE; new TestSACreation test suite validates CREATE admission across namespaces and user identities.
Deployment manifest updates build/selectorsyncset.yaml, config/package/resources.yaml.gotmpl	Service account validation webhook configuration updated to register CREATE operation in addition to DELETE.
Webhook documentation registry docs/webhooks-short.json, docs/webhooks.json	Comprehensive documentation of all managed cluster validation webhooks: new entries for HCP and hypershift resources (hcpnamespace, hostedcluster, hostedcontrolplane, manifestworks); network-operator authorization model clarified to explicitly list allowed service accounts; regular-user restriction scope updated; service account webhook documented for both CREATE and DELETE restrictions with exception namespaces.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: preventing customer creation of ServiceAccounts in managed namespaces, which is the primary objective of this pull request.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names are stable and deterministic. Test functions and Ginkgo test titles use only static strings with no dynamic content, fmt.Sprintf, timestamps, or UUIDs.
Test Structure And Quality	✅ Passed	Custom check seeks Ginkgo test code quality review, but PR adds only testing.T unit tests following codebase patterns; check is inapplicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. The PR only adds TestSACreation, a standard Go unit test using testing.T, which is outside the scope of this MicroShift e2e test compatibility check.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The new TestSACreation is a standard Go unit test using testing.T, not a Ginkgo e2e test, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies webhook validation rules and documentation only, not pod scheduling. No new deployment manifests or topology-incompatible scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	Check not applicable: this is a Kubernetes validating webhook server, not an OTE binary communicating with openshift-tests via JSON stdout as the check requires.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests were added. The PR adds only a standard Go unit test (TestSACreation) that uses the testing package, not Ginkgo framework.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or insecure token/secret comparisons found in modified files.
Container-Privileges	✅ Passed	No privileged container settings found. Container specs have no privileged: true, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or root-as-user configurations.
No-Sensitive-Data-In-Logs	✅ Passed	New logging only exposes namespace and service account names. Pre-existing AdmissionRequest logging follows pattern in 6+ other webhooks and doesn't expose passwords, tokens, PII, or secrets.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: xiaoyu74

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [xiaoyu74]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@xiaoyu74: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[xiaoyu74]

/hold - Doing some validation in staging clusters.

[xiaoyu74]

/unhold