SANDBOX-1067 | feature: namespace deletion member service account

[MikelAlejoBR]

The registration service uses the member service account to be able to
interact with the member clusters. In order to be able to delete the
user namespaces to trigger a reconciliation from the NSTemplateSet
controller, we need the service account to have the "delete" permission
too.

Jira ticket

[SANDBOX-1067]

Summary by CodeRabbit

• Tests
  • Expanded test coverage to include deletion permission checks for namespaces in addition to get/list/watch, improving verification of resource permission handling and reducing regressions in permission-sensitive flows.

[coderabbitai]

Walkthrough

The change updates WaitForToolchainClusterResources to expand the namespaces resource verbs from ["get", "list", "watch"] to ["delete", "get", "list", "watch"].

Changes

Cohort / File(s)	Summary
Test Support Configuration testsupport/wait/member.go	Added the delete verb to the namespaces resource verbs in WaitForToolchainClusterResources; no other logic changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 I hopped through code with nimble feet,
A single verb added, tidy and neat,
delete joins get, list, watch in line,
Small change, small dance, all tests will shine,
Thump-thump — a rabbit's celebratory beat!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly describes the main change: adding namespace deletion capability to the member service account, which aligns with the changeset that extends namespaces resource Verbs to include 'delete'.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan for PR comments

• Generate coding plan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[MikelAlejoBR]

/retest

[rsoaresd]

🚀

[mfrancisc]

Looks good!

Are you planning to add e2e tests in another PR and pair it with codeready-toolchain/registration-service#573 ?

[MikelAlejoBR]

Looks good!

Are you planning to add e2e tests in another PR and pair it with codeready-toolchain/registration-service#573 ?

Yes, that was the idea!

[fbm3307]

/retest

FYI- here if the paired member operator PR is not have the latest changes , the e2e and publish component e2e test fails i have updated the paired member operator PR with latest master changes.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fbm3307, mfrancisc, MikelAlejoBR, rsoaresd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [fbm3307,mfrancisc,rsoaresd]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@testsupport/wait/member.go`:
- Around line 2658-2660: The ClusterRole binding grants cluster-wide namespace
deletion by listing "namespaces" in the Resources slice with the "delete" verb
for the toolchaincluster-member service account; remove the "delete" verb from
that Resources entry (or drop "namespaces" entirely) and instead implement a
separate, narrower ClusterRole/ServiceAccount reserved for namespace deletion
that validates ownership before deleting (create a dedicated controller and role
for that capability rather than allowing toolchaincluster-member to delete
cluster-scoped "namespaces").

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ee2e8349-fc85-4056-b4a0-9f6259095545

📥 Commits

Reviewing files that changed from the base of the PR and between 8947756 and 4eb58e5.

📒 Files selected for processing (1)

• testsupport/wait/member.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid granting cluster-wide namespace deletion to the shared member service account.

namespaces is cluster-scoped, so adding delete here lets toolchaincluster-member delete any namespace on the member cluster, not just user namespaces. That is a much larger blast radius than the PR objective describes. Prefer a narrower trigger path, or isolate this capability behind a dedicated controller/service account that validates ownership before deleting.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@testsupport/wait/member.go` around lines 2658 - 2660, The ClusterRole binding
grants cluster-wide namespace deletion by listing "namespaces" in the Resources
slice with the "delete" verb for the toolchaincluster-member service account;
remove the "delete" verb from that Resources entry (or drop "namespaces"
entirely) and instead implement a separate, narrower ClusterRole/ServiceAccount
reserved for namespace deletion that validates ownership before deleting (create
a dedicated controller and role for that capability rather than allowing
toolchaincluster-member to delete cluster-scoped "namespaces").

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[MikelAlejoBR]

/retest

[mfrancisc]

/retest

quay issue