opendatahub-io · jland-redhat · Oct 3, 2025 · Oct 3, 2025 · coderabbitai · Oct 3, 2025
diff --git a/maas-api/internal/tier/mapper.go b/maas-api/internal/tier/mapper.go
@@ -109,7 +109,7 @@ func (m *Mapper) loadTierConfig(ctx context.Context) ([]Tier, error) {
 
 	for i := range tiers {
 		tier := &tiers[i]
-		tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccount:%s", m.projectedNsName(tier)))
+		tier.Groups = append(tier.Groups, fmt.Sprintf("system:serviceaccounts:%s", m.projectedNsName(tier)))
 	}
 
 	return tiers, nil

diff --git a/maas-api/internal/tier/mapper_test.go b/maas-api/internal/tier/mapper_test.go
@@ -41,10 +41,16 @@ func TestMapper_GetTierForGroups(t *testing.T) {
 		},
 		{
 			name:         "inferred SA group - free tier",
-			groups:       []string{"system:serviceaccount:test-tenant-tier-free"},
+			groups:       []string{"system:serviceaccounts:test-tenant-tier-free"},
 			expectedTier: "free",
 			description:  "User belongs to only free tier group",
 		},
+		{
+			name:         "inferred SA group - premium tier",
+			groups:       []string{"system:serviceaccounts:test-tenant-tier-premium"},
+			expectedTier: "premium",
+			description:  "User belongs to only premium tier group",
+		},
 		{
 			name:         "single group - premium tier",
 			groups:       []string{"premium-users"},
@@ -87,6 +93,12 @@ func TestMapper_GetTierForGroups(t *testing.T) {
 			expectedTier: "developer",
 			description:  "User belongs to both premium and developer - developer has higher level (15 > 10)",
 		},
+		{
+			name:         "multiple groups - service account groups",
+			groups:       []string{"system:serviceaccounts", "system:serviceaccounts:test-tenant-tier-premium", "system:authenticated"},
+			expectedTier: "premium",
+			description:  "User belongs to both premium and developer - developer has higher level (15 > 10)",
+		},
 		{
 			name:         "three groups - enterprise wins",
 			groups:       []string{"free-users", "premium-users", "enterprise-users"},