Update Openshift version supported range

[shreyabiradar07]

Summary

This PR updates the Operator's supported OpenShift version range from v4.13 to v4.21 as Red Hat currently maintains 9 active indices for the community catalog.

Changes

• Metadata: Updated com.redhat.openshift.versions to v4.13-v4.21 in bundle/metadata/annotations.yaml.
• Kubernetes Version Bump: This update increases the minimum Kubernetes requirement to v1.26.0+ because the new OpenShift support range (v4.13–v4.21) is built on Kubernetes versions 1.26 through 1.34
• Removes unused horizontalpodautoscaler (HPA) permission

Summary by Sourcery

Update documented and declared platform compatibility for the operator to align with newer Kubernetes and OpenShift versions.

Enhancements:

• Raise the minimum supported Kubernetes version for the operator to v1.26.0 across manifests and documentation.
• Update the supported OpenShift version range metadata to v4.13–v4.21.

Documentation:

• Refresh README and overlay documentation to reflect the new minimum Kubernetes and OpenShift version requirements.

Summary by Sourcery

Update platform compatibility to require Kubernetes v1.26+ and OpenShift v4.13–v4.21 while aligning RBAC and metadata with newer Kubernetes APIs.

Enhancements:

• Raise the minimum supported Kubernetes version in CSV metadata, manifests, and documentation from v1.23.0 to v1.26.0.
• Update supported OpenShift version range metadata from v4.10–v4.20 to v4.13–v4.21.
• Adjust RBAC rules and kubebuilder annotations to use the stable batch/v1 CronJob API and correct job/cronjob permissions.
• Remove unused RBAC permissions related to HorizontalPodAutoscaler from the permission granter role.

Documentation:

• Refresh README and overlay documentation to reflect the new minimum Kubernetes and OpenShift version requirements.

Summary by Sourcery

Update documented and declared platform compatibility to require newer Kubernetes and OpenShift versions and simplify RBAC permissions.

Enhancements:

• Raise the minimum supported Kubernetes version for the operator to v1.26.0 in CSV metadata and overlays.
• Update the supported OpenShift version range metadata to v4.13–v4.21.
• Remove unused HorizontalPodAutoscaler permissions from the permission granter RBAC role.

Documentation:

• Update README and overlay documentation to reflect Kubernetes v1.26.0+ and OpenShift v4.13+ prerequisites.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Aligns the operator’s declared platform support with newer Kubernetes and OpenShift versions by bumping the minimum Kubernetes version, updating OpenShift version metadata, and simplifying RBAC permissions.

Flow diagram for updated permission granter RBAC behavior

flowchart TD
  A["KruizeOperator"] --> B["OperatorServiceAccount"]
  B --> C["PermissionGranterRole"]

  C --> D["Access replicasets"]
  C --> E["Access daemonsets"]
  C --> F["Access /metrics nonResourceURL"]

Loading

File-Level Changes

Change	Details	Files
Raise the minimum supported Kubernetes version requirement from v1.23.0 to v1.26.0 across documentation and CSV manifests.	Update deployment prerequisites in README to require kubectl v1.26.0+ and Kubernetes v1.26.0+ Increase spec.minKubeVersion from 1.23.0 to 1.26.0 in the published ClusterServiceVersion Increase spec.minKubeVersion from 1.23.0 to 1.26.0 in the base CSV manifest used for bundle generation Update overlay README to describe Kubernetes 1.26.0+ as the required platform	README.md bundle/manifests/kruize-operator.clusterserviceversion.yaml config/manifests/bases/kruize-operator.clusterserviceversion.yaml config/overlays/README.md
Update the Operator’s declared OpenShift compatibility range in bundle metadata.	Change com.redhat.openshift.versions annotation from v4.10-v4.20 to v4.13-v4.21 in bundle metadata annotations	bundle/metadata/annotations.yaml
Tighten RBAC by removing unused HorizontalPodAutoscaler permissions from the permission granter role.	Drop autoscaling/horizontalpodautoscalers get/list/watch rule from the permission_granter_role RBAC manifest	config/rbac/permission_granter_role.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The README now states "OpenShift v4.13+" while the bundle annotation constrains support to "v4.13-v4.21"; consider aligning the phrasing so users don't assume support beyond 4.21.
• Given the description notes underlying Kubernetes versions 1.26–1.34 for the new OpenShift range, double-check whether minKubeVersion should remain at 1.25.0 or be raised to 1.26.0 to match the effective platform baseline.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The README now states "OpenShift v4.13+" while the bundle annotation constrains support to "v4.13-v4.21"; consider aligning the phrasing so users don't assume support beyond 4.21.
- Given the description notes underlying Kubernetes versions 1.26–1.34 for the new OpenShift range, double-check whether `minKubeVersion` should remain at 1.25.0 or be raised to 1.26.0 to match the effective platform baseline.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[shreyabiradar07]

@sourcery-ai review

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• In both the RBAC role.yaml and the kubebuilder RBAC markers, the apiGroup for CronJobs should remain batch (not batch/v1); API version goes in the resource manifest’s apiVersion, while RBAC apiGroups should be the group name only.
• The PR description mentions raising the minimum Kubernetes version to v1.25.0, but the manifests and README now require v1.26.0+; consider aligning the stated minimum version to avoid confusion.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In both the RBAC role.yaml and the kubebuilder RBAC markers, the apiGroup for CronJobs should remain `batch` (not `batch/v1`); API version goes in the resource manifest’s `apiVersion`, while RBAC `apiGroups` should be the group name only.
- The PR description mentions raising the minimum Kubernetes version to v1.25.0, but the manifests and README now require v1.26.0+; consider aligning the stated minimum version to avoid confusion.

## Individual Comments

### Comment 1
<location path="config/rbac/role.yaml" line_range="187" />
<code_context>
-  - watch
 - apiGroups:
-  - batch
+  - batch/v1
   resources:
-  - jobs
</code_context>
<issue_to_address>
**issue (bug_risk):** Using `batch/v1` in `apiGroups` is likely invalid; `apiGroups` should be the group without the version (e.g. `batch`).

In RBAC, `apiGroups` must be just the group name (e.g. `batch`), not `group/version`. The version belongs in the resource’s `apiVersion`, not in the RBAC rule. Using `batch/v1` here will likely break authorization for CronJobs; keep `apiGroups: ["batch"]` while using `batch/v1` for the CronJob API itself.
</issue_to_address>

### Comment 2
<location path="internal/controller/kruize_controller.go" line_range="71" />
<code_context>
 //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create
 //+kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;create
-//+kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch;create
+//+kubebuilder:rbac:groups=batch/v1,resources=cronjobs,verbs=get;list;watch;create
 //+kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create
</code_context>
<issue_to_address>
**issue (bug_risk):** Kubebuilder RBAC `groups` value should normally be the API group without version (e.g. `batch`, not `batch/v1`).

Using `batch/v1` here is likely incorrect for kubebuilder RBAC markers. `groups` should match the API group only (e.g. `batch`), not the versioned group, otherwise the generated RBAC may not work. Please keep this as `groups=batch` even though CronJob is now served from `batch/v1`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[shreyabiradar07]

@sourcery-ai review

[sourcery-ai]

Hey - I've left some high level feedback:

• Since the minimum supported Kubernetes/OpenShift versions have been raised, double-check any remaining version references in deployment scripts or Helm charts (if present) to keep user-facing compatibility signals consistent with these manifest changes.
• With the removal of horizontalpodautoscalers from the permission_granter role, verify that no code paths in the operator still attempt to access HPAs; if they do, consider scoping that access into a dedicated role instead of reintroducing broad permissions.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Since the minimum supported Kubernetes/OpenShift versions have been raised, double-check any remaining version references in deployment scripts or Helm charts (if present) to keep user-facing compatibility signals consistent with these manifest changes.
- With the removal of `horizontalpodautoscalers` from the permission_granter role, verify that no code paths in the operator still attempt to access HPAs; if they do, consider scoping that access into a dedicated role instead of reintroducing broad permissions.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}