WINC-1147: Implement node-specific RBAC for WICD

[mansikulkarni96]

Update:

• Certificates automatically renew at 80% of their lifetime (8 minutes for 10-minute certs)
• Used certificate.Manager from k8s.io/client-go instead of custom certificate handling
• Webhook implementation in follow-up PR to address cross node access

Certificate-Based Authentication:

• Add certificate-based ClusterRole (system-wicd-nodes) with enhanced permissions
• Add ClusterRoleBinding that grants permissions to system:wicd-nodes group
• Certificate identity format: system:wicd-node:nodename

RBAC Permissions:

• Bootstrap ServiceAccount: Minimal permissions for CSR creation and ConfigMap access
• Certificate-based users: Enhanced permissions for node patching

Security Model:

1. ServiceAccount (bootstrap): Limited permissions during initial setup
2. CSR Controller: Validates certificate requests from nodes
3. Node-specific access enforced by webhook
4. Webhook: Future enhancement in a follow-up PR, preventing cross-node access and unauthorized annotations

Reference ovn-controller implementation: openshift/ovn-kubernetes@7dc4804

The flow is:

1. WICD → Creates node-specific CSR
2. WMCO CSR Controller → Auto-approves the CSR
3. K8s Certificate Authority → Signs and issues the certificate
4. WICD → Uses the certificate for all subsequent node operations like applying annotations
   This gives each WICD instance a unique, node-specific certificate identity that the admission webhook can validate against in the follow-up.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[red-hat-konflux]

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
wmco-idms	no kind "ImageDigestMirrorSet" is registered for version "config.openshift.io/v1" in scheme "k8s.io/client-go/kubernetes/scheme/register.go:83"

[red-hat-konflux]

Caution

There are some errors in your PipelineRun template.

PipelineRun	Error
wmco-idms	no kind "ImageDigestMirrorSet" is registered for version "config.openshift.io/v1" in scheme "k8s.io/client-go/kubernetes/scheme/register.go:83"

[openshift-ci-robot]

@mansikulkarni96: This pull request references WINC-1147 which is a valid jira issue.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mansikulkarni96]

/test aws-e2e-operator

[mansikulkarni96]

/test aws-e2e-operator

[mansikulkarni96]

/cc: @openshift/openshift-team-windows-containers

[mansikulkarni96]

/test aws-e2e-operator

[mansikulkarni96]

/test aws-e2e-operator

[openshift-ci-robot]

@mansikulkarni96: This pull request references WINC-1147 which is a valid jira issue.

In response to this:

Implement node-specific RBAC for WICD
Implement RBAC controls to ensure each WICD instance can only
access the specific Windows node it is running on, following
the principle of least privilege.

• Add pkg/rbac/node_rbac.go with creation and cleanup logic
• Create individual ServiceAccounts, ClusterRoles,
  and ClusterRoleBindings for nodes

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[mansikulkarni96]

/test aws-e2e-operator

[mansikulkarni96]

/test aws-e2e-operator

[jrvaldes]

consider using full name for the annotation

daemon.windowsinstanceconfig.openshift.io/scope: "bootstrap"

[jrvaldes]

include openshift in the app name. i.e. openshift-windows-machine-config-operator

[jrvaldes]

/test lint

[mansikulkarni96]

added back for upgrade scenario, since during upgrade previous version of WICD binary will not have the capability and permissions to remove annotations from node using the certificate method.

[jrvaldes]

good catch

[jrvaldes]

/lgtm

[mansikulkarni96]

/hold cancel

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 26f5ad3 and 2 for PR HEAD ea07d8e in total

[mansikulkarni96]

/retest-required

azure cluster install issue

[deepsm007]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 4168c85 and 1 for PR HEAD ea07d8e in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 3c630a6 and 0 for PR HEAD ea07d8e in total

[openshift-ci-robot]

/hold

Revision ea07d8e was retested 3 times: holding

[mansikulkarni96]

/test azure-e2e-upgrade

[mansikulkarni96]

/hold cancel

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 93b7a71 and 2 for PR HEAD ea07d8e in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 0be2fbd and 1 for PR HEAD ea07d8e in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD da88249 and 0 for PR HEAD ea07d8e in total

[openshift-ci-robot]

/hold

Revision ea07d8e was retested 3 times: holding

[mansikulkarni96]

/override ci/prow/nutanix-e2e-operator ci/prow/vsphere-e2e-operator ci/prow/vsphere-proxy-e2e-operator
test passed on previous runs

[openshift-ci]

@mansikulkarni96: Overrode contexts on behalf of mansikulkarni96: ci/prow/nutanix-e2e-operator, ci/prow/vsphere-e2e-operator, ci/prow/vsphere-proxy-e2e-operator

In response to this:

/override ci/prow/nutanix-e2e-operator ci/prow/vsphere-e2e-operator ci/prow/vsphere-proxy-e2e-operator
test passed on previous runs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jrvaldes]

@mansikulkarni96 is it safe to remove the hold?

[jrvaldes]

cc @sebsoto

[mansikulkarni96]

/hold cancel

[mansikulkarni96]

/override ci/prow/nutanix-e2e-operator ci/prow/vsphere-proxy-e2e-operator ci/prow/aws-e2e-operator ci/prow/azure-e2e-operator ci/prow/vsphere-disconnected-e2e-operator ci/prow/azure-e2e-upgrade
test passed on previous runs

[openshift-ci]

@mansikulkarni96: Overrode contexts on behalf of mansikulkarni96: ci/prow/aws-e2e-operator, ci/prow/azure-e2e-operator, ci/prow/azure-e2e-upgrade, ci/prow/nutanix-e2e-operator, ci/prow/vsphere-disconnected-e2e-operator, ci/prow/vsphere-proxy-e2e-operator

In response to this:

/override ci/prow/nutanix-e2e-operator ci/prow/vsphere-proxy-e2e-operator ci/prow/aws-e2e-operator ci/prow/azure-e2e-operator ci/prow/vsphere-disconnected-e2e-operator ci/prow/azure-e2e-upgrade
test passed on previous runs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@mansikulkarni96: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.