🐛 add create verb to boxcutter preflight

[kuiwang02]

Summary

Fixes Boxcutter applier's preflight permission check to properly validate namespace-scoped CREATE permissions.

Problem

After PR #2539, the Boxcutter applier's RBACPreAuthorizer was missing the WithNamespacedCollectionVerbs("create") configuration. This caused the preflight check to pass without validating CREATE permissions, leading to installation failures when the applier attempted to create resources like ServiceAccounts.

The Helm applier was correctly configured with this option (line 746), but the Boxcutter applier configuration (line 620) was missing it.

Changes

• Added WithNamespacedCollectionVerbs("create") to Boxcutter's RBACPreAuthorizer instantiation in boxcutterReconcilerConfigurator.Configure()

Note: Boxcutter does not need WithClusterCollectionVerbs("list", "watch") because it doesn't use the contentmanager component, unlike the Helm applier.

Related Issues

• Fixes https://issues.redhat.com/browse/OCPBUGS-78211
• Related to ✨ Make RBACPreAuthorizer collection verbs configurable #2539

Assisted-By: Claude Code

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	01437c5
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/69c33b99575f8d0008d3d12e
😎 Deploy Preview	https://deploy-preview-2587--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

This PR fixes Boxcutter applier preflight RBAC validation so it correctly checks for namespace-scoped CREATE permissions, preventing installs from passing preflight but failing later when creating namespaced resources (e.g., ServiceAccounts).

Changes:

• Configure Boxcutter’s RBACPreAuthorizer with WithNamespacedCollectionVerbs("create") under the PreflightPermissions feature gate.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[kuiwang02]

/cc @perdasilva

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.79%. Comparing base (a307a6d) to head (01437c5).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2587      +/-   ##
==========================================
+ Coverage   65.84%   67.79%   +1.95%     
==========================================
  Files         137      137              
  Lines        9560     9577      +17     
==========================================
+ Hits         6295     6493     +198     
+ Misses       2795     2585     -210     
- Partials      470      499      +29     

Flag	Coverage Δ
e2e	38.09% <0.00%> (+26.90%)	⬆️
experimental-e2e	51.17% <100.00%> (+0.11%)	⬆️
unit	52.85% <0.00%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[fgiudici]

LGTM. Good catch!

[pedjak]

please add e2e tests that assert the change.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fgiudici
Once this PR has been reviewed and has the lgtm label, please ask for approval from pedjak. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kuiwang02]

LGTM. Good catch!

@fgiudici Thanks!

[kuiwang02]

please add e2e tests that assert the change.

@pedjak I add e2e cases for the change and it passes. could you please review it again? Thanks