OCPBUGS-60496: Use BoundServceAccountTokenVolume dy default

[lance5890]

The BoundServiceAccountTokenVolume is enabled by default, and the auto-generated sa has also injected the service-ca.crt

kind of post-cleanup of #1142 and openshift/kubernetes#714

[openshift-ci-robot]

@lance5890: This pull request explicitly references no jira issue.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lance5890
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @lance5890. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lance5890]

/cc @vrutkovs

[vrutkovs]

Could you create a jira ticket with a more thorough description? We certainly need to discuss it first in order to avoid regressions - and consider backporting it too

[lance5890]

Could you create a jira ticket with a more thorough description? We certainly need to discuss it first in order to avoid regressions - and consider backporting it too

I will create a Jira ticket for this. The change has been tested in my local cluster, and I'll share more details soon. Do you think this PR deserves an /ok-to-test to verify if it works in the ocp CI environment?

[openshift-ci-robot]

@lance5890: This pull request references Jira Issue OCPBUGS-60496, which is invalid:

• expected the bug to target the "4.20.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

The BoundServiceAccountTokenVolume is enabled by default, and the auto-generated sa has also injected the service-ca.crt

kind of post-cleanup of #1142 and openshift/kubernetes#714

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vrutkovs]

Ah, yes, sure
/ok-to-test

[vrutkovs]

/jira refresh

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-60496, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.20.0) matches configured target version for branch (4.20.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@lance5890: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn	a7c1760	link	false	/test e2e-azure-ovn
ci/prow/okd-scos-e2e-aws-ovn	a7c1760	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-upgrade	a7c1760	link	true	/test e2e-aws-ovn-upgrade
ci/prow/e2e-gcp-operator-single-node	a7c1760	link	false	/test e2e-gcp-operator-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[lance5890]

Could you create a jira ticket with a more thorough description? We certainly need to discuss it first in order to avoid regressions - and consider backporting it too

the related pr openshift/cluster-version-operator#660 will block the upgrade

need more investigation

[lance5890]

/hold

[lance5890]

need to wait the openshift/cluster-version-operator#1225 to merge first

[lance5890]

the automountServiceAccountToken should be supported within cvo for upgrading

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[coderabbitai]

Walkthrough

This change removes service account token mounting and related Kubernetes API access configuration from the kube-apiserver-operator deployment manifest. Specifically, it eliminates the automountServiceAccountToken directive, the kube-api-access volumeMount, and the projected volume containing token, CA bundle, and downwardAPI data.

Changes

Cohort / File(s)	Change Summary
kube-apiserver-operator deployment configuration manifests/0000_20_kube-apiserver-operator_06_deployment.yaml	Removed automountServiceAccountToken: false from pod spec; removed kube-api-access volumeMount from container spec; removed kube-api-access projected volume containing service account token, CA bundle, and downwardAPI references.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Single manifest file with homogeneous changes (all removals of related configuration fields)
• Verify intent — confirm that removing service account token access and API credentials from this deployment is intentional and necessary
• Check downstream impact — ensure no dependent components or scripts rely on the removed kube-api-access volume or automountServiceAccountToken setting

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 36917f5 and a7c1760.

📒 Files selected for processing (1)

• manifests/0000_20_kube-apiserver-operator_06_deployment.yaml (0 hunks)

💤 Files with no reviewable changes (1)

• manifests/0000_20_kube-apiserver-operator_06_deployment.yaml

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}