OCPBUGS-65631: Use dedicated service accounts for multus pods

[ehearne-redhat]

This work was taken/adapted from yboaron's PR in #2845. yboaron has given me permission to take over his work on this.

Service accounts have been added to multus related pods.

• openshift-multus/cni-sysctl-allowlist-ds pod now uses multus-ancillary-tools ServiceAccount.
• openshift-multus/multus now uses newly created multus-node-identity ServiceAccount when NETWORK_NODE_IDENTITY_ENABLE == true instead of default. The service account has no bindings attached.

The commit message has been kept the same, and the logic has been kept the same from the mentioned PR. Though, line placement does differ for multus.yaml.

Summary by CodeRabbit

Release Notes

• Tests

  • Added tests to verify Multus DaemonSet uses the correct service account with node identity enabled/disabled and that the ancillary allowlist DaemonSet uses the expected service account.

• Chores

  • Multus DaemonSet service account assignment now switches based on network node identity feature.
  • Added a service account for node identity when that feature is enabled.

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65631, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (weliang@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This work was taken/adapted from yboaron's PR in #2845. yboaron has given me permission to take over his work on this.

Service accounts have been added to multus related pods.

• openshift-multus/cni-sysctl-allowlist-ds pod now uses multus-ancillary-tools ServiceAccount.
• openshift-multus/multus now uses newly created multus-node-identity ServiceAccount when NETWORK_NODE_IDENTITY_ENABLE == true instead of default. The service account has no bindings attached.

The commit message has been kept the same, and the logic has been kept the same from the mentioned PR. Though, line placement does differ for multus.yaml.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 2c972f87-3eab-48f5-964c-d0e724011556

📥 Commits

Reviewing files that changed from the base of the PR and between f65e0ae and d7eed00.

📒 Files selected for processing (4)

• bindata/allowlist/daemonset/daemonset.yaml
• bindata/network/multus/002-rbac.yaml
• bindata/network/multus/multus.yaml
• pkg/network/multus_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• bindata/network/multus/002-rbac.yaml
• pkg/network/multus_test.go

---

Walkthrough

Adds a new multus-node-identity ServiceAccount (conditional on NETWORK_NODE_IDENTITY_ENABLE), flips the Multus DaemonSet's serviceAccountName conditional to select that account when enabled, sets the allowlist DaemonSet to multus-ancillary-tools, and adds unit tests validating these manifests.

Changes

Cohort / File(s)	Summary
Multus RBAC bindata/network/multus/002-rbac.yaml	Adds ServiceAccount multus-node-identity under {{ if .NETWORK_NODE_IDENTITY_ENABLE }}.
Multus DaemonSet bindata/network/multus/multus.yaml	Flips conditional for spec.template.spec.serviceAccountName: uses multus-node-identity when NETWORK_NODE_IDENTITY_ENABLE is true, otherwise multus (comment added for disabled path).
Allowlist DaemonSet bindata/allowlist/daemonset/daemonset.yaml	Sets spec.template.spec.serviceAccountName: multus-ancillary-tools on the allowlist DaemonSet pod spec.
Tests pkg/network/multus_test.go	Adds tests that render manifests with/without node identity, assert DaemonSet serviceAccountName selection and presence/absence of multus-node-identity ServiceAccount; adds a helper to find DaemonSets and required imports.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test code violates single responsibility principle by combining two distinct test scenarios and lacks consistent assertion failure messages.	Split test into two separate functions and add meaningful failure messages to all assertions in both scenarios.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: introducing dedicated service accounts for multus-related pods, which is the core objective of the pull request.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR uses Go's standard testing package with Gomega assertions, not Ginkgo's BDD framework. Ginkgo check requirements do not apply.
Microshift Test Compatibility	✅ Passed	PR adds unit tests for Multus configuration, not Ginkgo e2e tests, so the check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The pull request adds two new unit tests using Go's standard testing package and Gomega assertions, not Ginkgo e2e tests. The custom check applies only to new Ginkgo e2e tests, so it is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Service account assignment to DaemonSets does not introduce scheduling constraints; changes are RBAC-focused without affinity, anti-affinity, or topology-specific logic.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML manifest changes and test additions in test blocks (It, BeforeEach), which are excluded from OTE Binary Stdout Contract checks. No process-level stdout writes detected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests found. Changes contain only standard Go unit tests with no IPv4 assumptions or external connectivity requirements.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/Masterminds/semver@v1.5.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Masterminds/sprig/v3@v3.2.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/containernetworking/cni@v0.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ghodss/yaml@v1.0.1-0.20190212211648-25d852aebe32: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/go-bindata/go-bindata@v3.1.2+incompatible: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/onsi/gomega@v1.39.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ope

... [truncated 17356 characters] ...

ired in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/gengo/v2@v2.0.0-20251215205346-5ee0d033ba5b: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kms@v0.35.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kube-aggregator@v0.35.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/randfill@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/structured-merge-diff/v6@v6.3.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest

[ehearne-redhat]

/retest-required

[ShazaAldawamneh]

just a nit:
Consider adding an explanatory comment here for clarity:

{{ if .NETWORK_NODE_IDENTITY_ENABLE }}
      serviceAccountName: multus-node-identity
{{ else }}
      # Network node identity disabled, use service account with permissions
      serviceAccountName: multus
{{ end }}

This helps future readers understand why the multus service account is used in this case.

[ShazaAldawamneh]

/lgtm

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65631, which is invalid:

• expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.22" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

This work was taken/adapted from yboaron's PR in #2845. yboaron has given me permission to take over his work on this.

Service accounts have been added to multus related pods.

• openshift-multus/cni-sysctl-allowlist-ds pod now uses multus-ancillary-tools ServiceAccount.
• openshift-multus/multus now uses newly created multus-node-identity ServiceAccount when NETWORK_NODE_IDENTITY_ENABLE == true instead of default. The service account has no bindings attached.

The commit message has been kept the same, and the logic has been kept the same from the mentioned PR. Though, line placement does differ for multus.yaml.

Summary by CodeRabbit

Release Notes

• Tests

• Added tests to verify Multus DaemonSet uses the correct service account with node identity enabled/disabled and that the ancillary allowlist DaemonSet uses the expected service account.

• Chores

• Multus DaemonSet service account assignment now switches based on network node identity feature.

• Added a service account for node identity when that feature is enabled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ehearne-redhat]

/jira refresh

[openshift-ci-robot]

@ehearne-redhat: This pull request references Jira Issue OCPBUGS-65631, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (weliang@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ShazaAldawamneh]

/lgtm

[ehearne-redhat]

/retest-required

[ehearne-redhat]

/retest-required

[ehearne-redhat]

/cherrypick release-4.22

Back porting to 4.22 as this was meant to be completed in 4.22 .

[openshift-cherrypick-robot]

@ehearne-redhat: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-4.22

Back porting to 4.22 as this was meant to be completed in 4.22 .

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kyrtapz]

/approve
/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ehearne-redhat, kyrtapz, ShazaAldawamneh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kyrtapz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ehearne-redhat]

/verified by ci/prow/e2e-gcp-ovn, ci/prow/unit

---
apiVersion: v1
kind: Pod
metadata:
  annotations:
    cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
  creationTimestamp: "2026-04-23T11:02:40Z"
  generateName: multus-
  ...
  serviceAccount: multus-node-identity
  serviceAccountName: multus-node-identity
  ...
  phase: Running
...

---
apiVersion: v1
kind: Pod
metadata:
  annotations:
    cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
  creationTimestamp: "2026-04-23T11:17:12Z"
  generateName: multus-additional-cni-plugins-
  ...
  serviceAccount: multus-ancillary-tools
  serviceAccountName: multus-ancillary-tools
  ...
  phase: Running
 ...

[openshift-ci-robot]

@ehearne-redhat: This PR has been marked as verified by ci/prow/e2e-gcp-ovn,ci/prow/unit.

Details

In response to this:

/verified by ci/prow/e2e-gcp-ovn, ci/prow/unit

---
apiVersion: v1
kind: Pod
metadata:
 annotations:
   cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
 creationTimestamp: "2026-04-23T11:02:40Z"
 generateName: multus-
 ...
 serviceAccount: multus-node-identity
 serviceAccountName: multus-node-identity
 ...
 phase: Running
...

---
apiVersion: v1
kind: Pod
metadata:
 annotations:
   cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
 creationTimestamp: "2026-04-23T11:17:12Z"
 generateName: multus-additional-cni-plugins-
 ...
 serviceAccount: multus-ancillary-tools
 serviceAccountName: multus-ancillary-tools
 ...
 phase: Running
...

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ehearne-redhat: Jira Issue Verification Checks: Jira Issue OCPBUGS-65631
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-65631 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

This work was taken/adapted from yboaron's PR in #2845. yboaron has given me permission to take over his work on this.

Service accounts have been added to multus related pods.

• openshift-multus/cni-sysctl-allowlist-ds pod now uses multus-ancillary-tools ServiceAccount.
• openshift-multus/multus now uses newly created multus-node-identity ServiceAccount when NETWORK_NODE_IDENTITY_ENABLE == true instead of default. The service account has no bindings attached.

The commit message has been kept the same, and the logic has been kept the same from the mentioned PR. Though, line placement does differ for multus.yaml.

Summary by CodeRabbit

Release Notes

• Tests

• Added tests to verify Multus DaemonSet uses the correct service account with node identity enabled/disabled and that the ancillary allowlist DaemonSet uses the expected service account.

• Chores

• Multus DaemonSet service account assignment now switches based on network node identity feature.

• Added a service account for node identity when that feature is enabled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@ehearne-redhat: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	d7eed00	link	false	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-cherrypick-robot]

@ehearne-redhat: new pull request created: #2985

Details

In response to this:

/cherrypick release-4.22

Back porting to 4.22 as this was meant to be completed in 4.22 .

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-04-30-154809