Permission check fixed for the serviceaccount of the target allocator

[davidhaja]

Description:
Permission check fixed for the serviceaccount of the target allocator.
If the opentelemetrycollector.spec.targetAllocator.serviceAccount is not set, the operator
checks the system:serviceaccount:default:<EMPTY SA NAME> serviceaccount instead of the generated serviceaccount name.

Warning: missing the following rules for networking.k8s.io/ingresses: [get,system:serviceaccount:default:,list,system:serviceaccount:default:,watch,system:serviceaccount:default:]
Warning: missing the following rules for nodes: [get,system:serviceaccount:default:,list,system:serviceaccount:default:,watch,system:serviceaccount:default:]
Warning: missing the following rules for nodes/metrics: [get,system:serviceaccount:default:,list,system:serviceaccount:default:,watch,system:serviceaccount:default:]
Warning: missing the following rules for endpoints: [get,system:serviceaccount:default:,list,system:serviceaccount:default:,watch,system:serviceaccount:default:]
Warning: missing the following rules for pods: [get,system:serviceaccount:default:,list,system:serviceaccount:default:,watch,system:serviceaccount:default:]
Warning: missing the following rules for discovery.k8s.io/endpointslices: [get,system:serviceaccount:default:,list,system:serviceaccount:default:,watch,system:serviceaccount:default:]
Warning: missing the following rules for nonResourceURL: /metrics: [get,system:serviceaccount:default:]
Warning: missing the following rules for monitoring.coreos.com/servicemonitors: [*,system:serviceaccount:default:]
Warning: missing the following rules for monitoring.coreos.com/podmonitors: [*,system:serviceaccount:default:]
Warning: missing the following rules for services: [get,system:serviceaccount:default:,list,system:serviceaccount:default:,watch,system:serviceaccount:default:]
Warning: missing the following rules for namespaces: [get,system:serviceaccount:default:,list,system:serviceaccount:default:,watch,system:serviceaccount:default:]
Warning: missing the following rules for configmaps: [get,system:serviceaccount:default:]

This PR resolves this issue using the target allocator's serviceaccount naming logic.

Link to tracking Issue(s): 3380

• Resolves: RBAC warnings when using custom service account/rbac #3380

Testing:

Documentation:

[iblancasa]

checks the system:serviceaccount:default: serviceaccount instead of the generated serviceaccount name.

Is that the default service account the TA will use?

[davidhaja]

checks the system:serviceaccount:default: serviceaccount instead of the generated serviceaccount name.

Is that the default service account the TA will use?

Yes.

[swiatekm]

Thanks for fixing this! I'd love to see a test verifying that we call the function correctly. Changing the order of two string arguments in a function call is an easy mistake to make.

[jaronoff97]

+1 to Mikolaj's suggestion though :)

[davidhaja]

Thanks for fixing this! I'd love to see a test verifying that we call the function correctly. Changing the order of two string arguments in a function call is an easy mistake to make.

I'm wondering if it makes sense to include the serviceaccount name in the warning message?
So like:

Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - nonResourceURL: /metrics: [get]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - monitoring.coreos.com/podmonitors: [*]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - nodes/metrics: [get,list,watch]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - pods: [get,list,watch]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - discovery.k8s.io/endpointslices: [get,list,watch]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - namespaces: [get,list,watch]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - configmaps: [get]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - networking.k8s.io/ingresses: [get,list,watch]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - monitoring.coreos.com/servicemonitors: [*]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - nodes: [get,list,watch]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - services: [get,list,watch]
Warning: missing the following rules for system:serviceaccount:default:metrics-targetallocator - endpoints: [get,list,watch]

@swiatekm @jaronoff97 wdyt?

[davidhaja]

Thanks for fixing this! I'd love to see a test verifying that we call the function correctly. Changing the order of two string arguments in a function call is an easy mistake to make.

I've included the serviceaccount information in the warning messages (system:serviceaccount:<namespace>:<serviceaccount name>)
Also modified the tests that cover the warning messages with this information.
So with this change the tests cover if the namespace and serviceaccount name is switched during the execution, because they are coming from the opentelemetrycollector and targetallocator CRs and included in the warning log.
@swiatekm @jaronoff97 Let me know if this modification satisfies your request, or if I need to add a separate test for this purpose.