BUG Description

The RBAC used created by CLI is blocking cluster upgrades, which is impacting the development on the 'cluster upgrade' feature.

Steps to reproduce:

• Run the OPCT
• Run the cluster upgrade (manually, by run-upgrade with openshift-tests, or through CLI with development feature)
• The cluster operator service-ca stuck on "Progressing..."

I also able to reproduce in different scenarios:

• S1) Running upgrade with existing permissions [1]
• S2) Running upgrade without setting permissions
• S3) Running upgrade with SCC used by kube-cert (without [1]) [2]

The S1 and S3 got the same errors.

On S2, the cluster is upgraded successfully,  but the Sonobuoy got stuck (another block handled by SPLAT-876 ).

As described on the KCS[3], the ClusterOperator service-ca getting stuck could be due changes done on the system groups. As described on [1] the CLI is associating the group system:serviceaccounts to anyuid SCC groups:
$ oc adm policy who-can use scc anyuid | grep serviceaccounts
        system:serviceaccounts
 

ENGINEERING DETAILS

[1] https://github.com/redhat-openshift-ecosystem/provider-certification-tool/blob/main/pkg/run/run.go#L193-L249

[2] https://github.com/cncf/k8s-conformance/tree/master/v1.24/openshift#run-conformance-tests

[3] https://access.redhat.com/solutions/5875621