Create SA for backup jobs

A new SA is created for the backup jobs to limit the permission to just
what is necessary.

Signed-off-by: Ales Raszka <[email protected]>

Author: Allda

controllers/backupcronjob/backupcronjob_controller.go

@@ -149,8 +149,9 @@ func (r *BackupCronJobReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Complete(r)
 }
 
-// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;create;update;patch;delete
 // +kubebuilder:rbac:groups="",resources=persistentvolumeclaims,verbs=get;list
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;create;update;patch;delete
+// +kubebuilder:rbac:groups="",resources=serviceaccounts;,verbs=get;list;create;update;patch;delete
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;create;update;patch;delete
 // +kubebuilder:rbac:groups=controller.devfile.io,resources=devworkspaceoperatorconfigs,verbs=get;list;update;patch;watch
 // +kubebuilder:rbac:groups=workspace.devfile.io,resources=devworkspaces,verbs=get;list
@@ -270,6 +271,12 @@ func (r *BackupCronJobReconciler) executeBackupSync(ctx context.Context, dwOpera
 		dwID := dw.Status.DevWorkspaceId
 		log.Info("Found DevWorkspace", "namespace", dw.Namespace, "devworkspace", dw.Name, "id", dwID)
 
+		err = r.ensureJobRunnerRBAC(ctx, &dw)
+		if err != nil {
+			log.Error(err, "Failed to ensure Job runner RBAC for DevWorkspace", "id", dwID)
+			continue
+		}
+
 		if err := r.createBackupJob(&dw, ctx, dwOperatorConfig, registyAuthSecret, logger); err != nil {
 			log.Error(err, "Failed to create backup Job for DevWorkspace", "id", dwID)
 			continue
@@ -384,7 +391,8 @@ func (r *BackupCronJobReconciler) createBackupJob(
 		Spec: batchv1.JobSpec{
 			Template: corev1.PodTemplateSpec{
 				Spec: corev1.PodSpec{
-					RestartPolicy: corev1.RestartPolicyNever,
+					ServiceAccountName: JobRunnerSAName,
+					RestartPolicy:      corev1.RestartPolicyNever,
 					SecurityContext: &corev1.PodSecurityContext{
 						FSGroup: ptrInt64(0),
 					},

controllers/backupcronjob/rbac.go

@@ -0,0 +1,56 @@
+//
+// Copyright (c) 2019-2025 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package controllers
+
+import (
+	"context"
+	"fmt"
+
+	dw "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
+	"github.com/devfile/devworkspace-operator/pkg/constants"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+)
+
+const (
+	JobRunnerSAName = "devworkspace-job-runner"
+)
+
+func (r *BackupCronJobReconciler) ensureJobRunnerRBAC(ctx context.Context, workspace *dw.DevWorkspace) error {
+	const (
+		roleName = "devworkspace-job-runner-role"
+		rbName   = "devworkspace-job-runner-rolebinding"
+	)
+
+	sa := &corev1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{Name: JobRunnerSAName, Namespace: workspace.Namespace, Labels: map[string]string{
+			constants.DevWorkspaceIDLabel:          workspace.Status.DevWorkspaceId,
+			constants.DevWorkspaceWatchSecretLabel: "true",
+		}},
+	}
+
+	// Create or update ServiceAccount
+	if err := controllerutil.SetControllerReference(workspace, sa, r.Scheme); err != nil {
+		return err
+	}
+	if _, err := controllerutil.CreateOrUpdate(ctx, r.Client, sa, func() error { return nil }); err != nil {
+		return fmt.Errorf("ensuring ServiceAccount: %w", err)
+	}
+
+	return nil
+
+}

deploy/bundle/manifests/devworkspace-operator.clusterserviceversion.yaml

@@ -20,7 +20,6 @@ rules:
   resources:
   - configmaps
   - pods
-  - serviceaccounts
   - services
   verbs:
   - '*'
@@ -45,12 +44,6 @@ rules:
   - pods/exec
   verbs:
   - create
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - '*'
 - apiGroups:
   - ""
   resourceNames:
@@ -62,6 +55,13 @@ rules:
   - delete
   - get
   - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - serviceaccounts
+  verbs:
+  - '*'
 - apiGroups:
   - admissionregistration.k8s.io
   resources: