SREP-2356 bug fix : Adding service account to fix the issue

pkg/webhooks/networkoperator/networkoperator.go

@@ -18,7 +18,7 @@ import (
 
 const (
 	WebhookName string = "network-operator-validation"
-	docString   string = `Managed OpenShift customers may not modify critical fields in the network.operator CRD (such as spec.migration.networkType) because it can disrupt Cluster Network Operator operations and CNI migrations. Only backplane-cluster-admin and SRE service accounts are allowed to modify these critical fields. Regular cluster-admin users (system:admin) are explicitly blocked.`
+	docString   string = `Managed OpenShift customers may not modify critical fields in the network.operator CRD (such as spec.migration.networkType) because it can disrupt Cluster Network Operator operations and CNI migrations. Only backplane-cluster-admin, SRE service accounts, and the Cluster Network Operator (CNO) service account are allowed to modify these critical fields. Regular cluster-admin users (system:admin) are explicitly blocked.`
 )
 
 var (
@@ -43,9 +43,11 @@ var (
 		"backplane-cluster-admin",
 	}
 
-	// Groups allowed to modify critical migration fields
+	// Groups allowed to modify critical migration fields (SRE and the Cluster Network Operator)
 	sreAdminGroups = []string{
 		"system:serviceaccounts:openshift-backplane-srep",
+		// CNO runs in openshift-network-operator and must be able to patch network.operator for CNI migration
+		"system:serviceaccounts:openshift-network-operator",
 	}
 )
 
@@ -284,10 +286,10 @@ func (w *NetworkOperatorWebhook) SyncSetLabelSelector() metav1.LabelSelector {
 	return utils.DefaultLabelSelector()
 }
 
-func (w *NetworkOperatorWebhook) ClassicEnabled() bool { return false }
+func (w *NetworkOperatorWebhook) ClassicEnabled() bool { return true }
 
 // HypershiftEnabled will return boolean value for hypershift enabled configurations
-func (w *NetworkOperatorWebhook) HypershiftEnabled() bool { return false }
+func (w *NetworkOperatorWebhook) HypershiftEnabled() bool { return true }
 
 // NewWebhook creates a new webhook
 func NewWebhook() *NetworkOperatorWebhook {

pkg/webhooks/networkoperator/networkoperator_test.go

@@ -418,6 +418,53 @@ func TestAuthorized(t *testing.T) {
 			},
 			ExpectAllowed: true,
 		},
+		{
+			Name: "Cluster Network Operator (CNO) service account modifying migration.networkType should be allowed",
+			Request: admissionctl.Request{
+				AdmissionRequest: admissionv1.AdmissionRequest{
+					UserInfo: authenticationv1.UserInfo{
+						Username: "system:serviceaccount:openshift-network-operator:cluster-network-operator",
+						Groups: []string{
+							"system:serviceaccounts:openshift-network-operator",
+						},
+					},
+					Kind: metav1.GroupVersionKind{
+						Group: "operator.openshift.io",
+						Kind:  "Network",
+					},
+					Operation: admissionv1.Update,
+					Object: runtime.RawExtension{
+						Raw: []byte(`{
+							"apiVersion": "operator.openshift.io/v1",
+							"kind": "Network",
+							"metadata": {
+								"name": "cluster"
+							},
+							"spec": {
+								"migration": {
+									"networkType": "OVNKubernetes"
+								}
+							}
+						}`),
+					},
+					OldObject: runtime.RawExtension{
+						Raw: []byte(`{
+							"apiVersion": "operator.openshift.io/v1",
+							"kind": "Network",
+							"metadata": {
+								"name": "cluster"
+							},
+							"spec": {
+								"migration": {
+									"networkType": "OpenShiftSDN"
+								}
+							}
+						}`),
+					},
+				},
+			},
+			ExpectAllowed: true,
+		},
 		{
 			Name: "backplane-cluster-admin modifying migration.networkType should be allowed",
 			Request: admissionctl.Request{