WIP: TEST CI

[oribon]

Is this a BUG FIX or a FEATURE ?:

Uncomment only one, leave it on its own line:

/kind bug
/kind cleanup
/kind feature
/kind design
/kind flake
/kind failing
/kind documentation
/kind regression

What this PR does / why we need it:

Special notes for your reviewer:

Release note:

Summary by CodeRabbit

Release Notes

• Chores
  • Updated role-based access control for the MetalLB operator to consolidate and refine permissions for the manager and speaker service accounts, improving compatibility with required cluster resources and operational workflows.
  • Adjusted speaker permissions by removing access to the privileged SecurityContextConstraints and scoping PodSecurityPolicy usage to the speaker resource, strengthening control over security settings.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8a843212-c2f5-47d0-9093-5224c24b87ae

📥 Commits

Reviewing files that changed from the base of the PR and between a249d76 and 3a88e0c.

📒 Files selected for processing (1)

• manifests/stable/metallb-operator.clusterserviceversion.yaml

💤 Files with no reviewable changes (1)

• manifests/stable/metallb-operator.clusterserviceversion.yaml

---

Walkthrough

The ClusterServiceVersion manifest's install.spec.clusterPermissions is restructured: the frr-k8s-daemon service account RBAC block is removed, manager-account gains expanded cluster permissions across multiple API groups, and the speaker account swaps its OpenShift SCC privileged rule for a scoped policy podsecuritypolicies use rule. Net change is 119 lines deleted.

Changes

CSV RBAC Consolidation

Layer / File(s)	Summary
manager-account permission expansion (frr-k8s-daemon removal) manifests/stable/metallb-operator.clusterserviceversion.yaml	Removes the frr-k8s-daemon clusterPermissions block; adds to manager-account: CRD read, apps daemonset/deployment list/watch, config.openshift.io apiservers/clusteroperators read, full metallb.io metallbs lifecycle (including finalizers/status), monitoring (podmonitors/servicemonitors) CRUD, broad networkpolicies permissions, operator.openshift.io networks update/watch, and podsecuritypolicies management.
manager-account workload permissions and speaker PSP swap manifests/stable/metallb-operator.clusterserviceversion.yaml	Extends manager-account with create/patch/update/delete for configmaps, events, services, daemonsets, deployments, leases, and pod delete/list. Removes speaker's securitycontextconstraints privileged rule and adds policy podsecuritypolicies use permission scoped to resourceNames: speaker.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Ote Binary Stdout Contract	❌ Error	In main.go line 109, zap logger is initialized without WriteTo configuration: ctrl.SetLogger(zap.New(zap.UseDevMode(true))). By default, zap writes to stdout, which violates OTE's JSON stdout con...	Add zap.WriteTo(os.Stderr) or use zap.UseDevMode(true) with explicit stderr redirection to ensure logging goes to stderr, not stdout.
Description check	⚠️ Warning	The PR description is entirely empty, containing only the unchanged template with no substantive content in any required sections.	Fill in all required sections: specify the PR kind, explain what changes are being made and why, note any special considerations for reviewers, and provide a release note or 'NONE' if not applicable.
Title check	❓ Inconclusive	The title 'WIP: TEST CI' is vague and generic, using non-descriptive terms that don't convey meaningful information about the actual changeset modifications to RBAC permissions.	Replace with a descriptive title that reflects the main changes, such as 'Update MetalLB operator RBAC permissions for manager and speaker accounts' or clarify the PR's actual purpose.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test titles (It, Describe, Context, Entry) use static, deterministic names without dynamic values like generated identifiers, timestamps, or dynamic variables.
Test Structure And Quality	✅ Passed	This PR contains only YAML manifest changes (RBAC rules in metallb-operator.clusterserviceversion.yaml) with no Ginkgo test code modifications, making the test structure check non-applicable.
Microshift Test Compatibility	✅ Passed	New e2e tests added use only standard Kubernetes APIs (core/v1, apps/v1) available on MicroShift. No unavailable OpenShift APIs, resources, or unsupported assumptions detected in test code.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. The only change is to a YAML manifest file (metallb-operator.clusterserviceversion.yaml) for operator RBAC configuration. The custom check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	The ClusterServiceVersion manifest for metallb-operator contains deployments with no topology-unfriendly scheduling constraints. No required anti-affinity with maxUnavailable: 0, topology spread co...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The only change is to a Kubernetes manifest file (YAML) containing RBAC configuration. The custom check is not applicable.
No-Weak-Crypto	✅ Passed	PR modifies only Kubernetes YAML manifest files (ClusterServiceVersion) containing RBAC configurations, not cryptographic code. No weak crypto usage, custom implementations, or insecure comparisons...
Container-Privileges	✅ Passed	The manifest contains no container-level privilege escalation settings: privileged: true, hostPID/Network/IPC, SYS_ADMIN capabilities, runAsUser: 0, or allowPrivilegeEscalation: true.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposure in logging found. References to secrets/tokens/passwords are Kubernetes resource names or example configuration, not logged sensitive data.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: oribon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [oribon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@oribon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.