fix(operators): create tenant-runtime ServiceAccount in the Platform reconcile#29
Merged
Merged
Conversation
…reconcile The tenant-runtime ServiceAccount — the identity tenant workloads assume via IRSA — was created only by the AgentFleet and AgentSandbox reconcilers. But a Platform reaches phase=Ready as soon as its own reconcile finishes minting the IRSA role, independent of (and usually before) any AgentFleet reconcile. So a freshly-provisioned Platform could be Ready with no tenant-runtime SA, which a conformance audit flags as SERVICE_ACCOUNT_MISSING: the IRSA role's trust is scoped to exactly system:serviceaccount:<ns>:tenant-runtime, so without the SA the role is unusable and tenant pods cannot authenticate. The SA is a Platform-level identity primitive, not a fleet detail — the role is minted at the Platform layer and is meaningless without it. The Platform reconcile now creates the tenant-runtime SA (IRSA-annotated with the role it just minted) after setting status.IamRoleArn and before phase=Ready, so the SA always exists whenever the Platform is Ready. The AgentFleet and AgentSandbox reconcilers still call ensureTenantServiceAccount; CreateOrUpdate is idempotent so the duplicate calls are harmless.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
tenant-runtimeServiceAccount the tenant IRSA role's trust is scoped to was created only by the AgentFleet/AgentSandbox reconcilers, so a Platform could reachphase=Readywithout it — a conformance audit (cloudgov) flagsSERVICE_ACCOUNT_MISSINGand the role is unusable.The Platform reconcile now creates the SA (IRSA-annotated) after minting the role and before
phase=Ready, since it's a Platform-level identity primitive. The fleet/sandbox reconcilers still ensure it (idempotent).Surfaced by the landing-zone
task e2eharness reaching the cloudgov gate on real EKS. Operatormake test(controller + conformance suites) passes.