fix(openshift): use controller-manager SA for metrics RBAC

[Gregory-Pereira]

cc @vivekk16 @pierDipi @zdtsw

More confident about this one, I was able to test with what I think will become these permissions recreated by prefetched-manifests and it resolved my permissions issues

Summary by CodeRabbit

• Chores
  • Updated OpenShift/cluster RBAC and overlay configuration for Prometheus metric access.
  • Replaced an older binding with a new reader binding so the monitoring stack can scrape the application's metrics via the preferred authorization path.
  • Ensured corresponding RBAC manifests are included in kustomize overlays for both OpenShift and upstream builds.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: eb49dbf5-9543-4c25-9e9b-72a8d929f5be

📥 Commits

Reviewing files that changed from the base of the PR and between 3551c43 and d2cf699.

📒 Files selected for processing (2)

• config/rbac/kustomization.yaml
• config/rbac/metrics_reader_role_binding.yaml

✅ Files skipped from review due to trivial changes (2)

• config/rbac/kustomization.yaml
• config/rbac/metrics_reader_role_binding.yaml

---

📝 Walkthrough

Walkthrough

The OpenShift overlay's Prometheus RBAC configuration was changed: prometheus-metrics-auth-binding.yaml (a ClusterRoleBinding for prometheus-k8s in openshift-user-workload-monitoring) was removed and replaced in the kustomization with prometheus-metrics-reader-binding.yaml, which adds a ClusterRoleBinding that binds the metrics-reader ClusterRole to the controller-manager ServiceAccount. Separately, the cluster-wide metrics-reader-rolebinding was added to the RBAC kustomization, binding metrics-reader to kube-prometheus-stack-prometheus in the workload-variant-autoscaler-monitoring namespace.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Security observations

• RBAC scope change to a cluster-level controller: verify this is intentional. Risk: improper privilege assignment — see CWE-269 (Improper Privilege Management) and CWE-732 (Incorrect Permission Assignment for Critical Resource). Action: confirm least-privilege and narrow subject namespace or role as appropriate.
• Permission semantic change from tokenreview/subjectaccessreview to direct metrics-read: ensure metrics-reader does not grant extra verbs/resources beyond GET /metrics. Risk: overprivileged role — see CWE-250 (Execution with Unnecessary Privileges). Action: inspect metrics-reader ClusterRole manifest and restrict verbs/resources.
• Missing role manifest in diff: the metrics-reader ClusterRole is not included here. Action: verify the role exists in the target cluster or repo and review its rules before merge.
• ServiceAccount identity checks: confirm controller-manager and kube-prometheus-stack-prometheus subjects are the intended consumers and namespaces match expected contexts to avoid cross-namespace access. Action: validate namespace-scoped vs cluster-scoped identities and adjust binding subjects or namespaces.
• Audit and monitoring: ensure RBAC changes are recorded and that audit rules will detect unexpected metric-scrape access attempts. Action: add audit checks for new ClusterRoleBinding creations.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: switching metrics RBAC configuration on OpenShift to use the controller-manager ServiceAccount instead of the previous prometheus-metrics-auth binding.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/openshift/prometheus-metrics-reader-binding.yaml`:
- Around line 13-15: The RoleBinding subject for the ServiceAccount named
"controller-manager" is missing the namespace, causing the binding to target the
default namespace; update the subjects block (the ServiceAccount subject) to
include namespace: workload-variant-autoscaler-system so the RoleBinding
correctly authorizes the controller-manager ServiceAccount in the overlay
namespace.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: e72df1fd-031d-4fc6-afe7-487d09715ec5

📥 Commits

Reviewing files that changed from the base of the PR and between 71ddcba and 3551c43.

📒 Files selected for processing (3)

• config/openshift/kustomization.yaml
• config/openshift/prometheus-metrics-auth-binding.yaml
• config/openshift/prometheus-metrics-reader-binding.yaml

💤 Files with no reviewable changes (1)

• config/openshift/prometheus-metrics-auth-binding.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the binding subject explicitly sets namespace and matches overlay namespace.
set -euo pipefail

echo "Checking ServiceAccount subject block:"
awk 'BEGIN{p=0} /subjects:/{p=1} p{print} /namespace:/{if(p){exit}}' config/openshift/prometheus-metrics-reader-binding.yaml

echo
echo "Checking overlay namespace:"
rg -n '^\s*namespace:\s*' config/openshift/kustomization.yaml

Repository: opendatahub-io/workload-variant-autoscaler

Length of output: 262

---

Add namespace to ServiceAccount subject — binding targets wrong namespace (CWE-863: Improper Authorization).

Lines 14–15 define a ServiceAccount subject without namespace. Kubernetes defaults this to the "default" namespace, but the overlay (kustomization.yaml line 32) places the controller-manager ServiceAccount in workload-variant-autoscaler-system. This mismatch prevents the binding from authorizing the intended ServiceAccount, breaking metrics access.

Fix

 subjects:
 - kind: ServiceAccount
   name: controller-manager
+  namespace: workload-variant-autoscaler-system

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	subjects:
	- kind: ServiceAccount
	name: controller-manager
	subjects:
	- kind: ServiceAccount
	name: controller-manager
	namespace: workload-variant-autoscaler-system

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/openshift/prometheus-metrics-reader-binding.yaml` around lines 13 -
15, The RoleBinding subject for the ServiceAccount named "controller-manager" is
missing the namespace, causing the binding to target the default namespace;
update the subjects block (the ServiceAccount subject) to include namespace:
workload-variant-autoscaler-system so the RoleBinding correctly authorizes the
controller-manager ServiceAccount in the overlay namespace.