bug: Service account cannot create Workspaces due to impersonation failure

[OlegErshov]

Describe the bug

When a service account creates a workspace, the workspace initialization fails because the apibinding initializer attempts to impersonate the service account in the newly created workspace, but the service account identity doesn't exist in that workspace context.

Current Behavior

When a service account (e.g., system:serviceaccount:default:platform-mesh-provider-account-operator-kubeconfig) creates a workspace:

1. The workspace is created successfully and enters the Initializing phase
2. The service account is registered in the experimental.tenancy.kcp.io/owner annotation
3. The service account is added to the workspace-admin ClusterRoleBinding as a User kind
4. During initialization, the apibinding initializer attempts to impersonate this service account
5. Impersonation fails because the service account is foreign to the newly created workspace and doesn't exist in that workspace's context
6. The workspace remains stuck in the Initializing phase with initializers [61i8h8nir1vojygo:security system:apibindings] never being removed

Error Logs

{"ts":1776270996623.4114,"caller":"committer/committer.go:98","msg":"patching *v1alpha1.LogicalCluster","component":"kcp","postStartHook":"kcp-start-controllers","reconciler":"kcp-apibinder-initializer","key":"37qd0tx0ogfdluu3|cluster","logicalcluster.workspace":"37qd0tx0ogfdluu3","logicalcluster.namespace":"","logicalcluster.name":"cluster","logicalcluster.apiVersion":"","v":2,"patch":"{\"metadata\":{\"resourceVersion\":\"4889\",\"uid\":\"a77b08b0-8e4e-4a0e-a2b5-ab06be573c23\"},\"status\":{\"conditions\":[{\"lastTransitionTime\":\"2026-04-15T16:36:36Z\",\"message\":\"encountered errors: apibindings.apis.kcp.io is forbidden: User \\\"system:serviceaccount:default:platform-mesh-provider-account-operator-kubeconfig\\\" cannot create resource \\\"apibindings\\\" in API group \\\"apis.kcp.io\\\" at the cluster scope: access denied\\nNoOpinion\\nNoOpinion\",\"reason\":\"APIBindingErrors\",\"severity\":\"Error\",\"status\":\"False\",\"type\":\"APIBindingsInitialized\"},{\"lastTransitionTime\":\"2026-04-15T16:36:32Z\",\"message\":\"Initializers still exist: [61i8h8nir1vojygo:security system:apibindings]\",\"reason\":\"InitializerExists\",\"severity\":\"Info\",\"status\":\"False\",\"type\":\"WorkspaceInitialized\"}]}}"}

{"ts":1776270996644.2437,"logger":"UnhandledError","caller":"initialization/apibinder_initializer_controller.go:291","msg":"Unhandled Error","err":"kcp-apibinder-initializer: failed to sync \"37qd0tx0ogfdluu3|cluster\", err: failed to patch *v1alpha1.LogicalCluster cluster: LogicalCluster.tenancy.kcp.io \"cluster\" is invalid: status.initializers: Invalid value: [\"61i8h8nir1vojygo:security\",\"system:apibindings\"]: only removing the \"system:apibindings\" initializer is supported"}

workspace configuration

apiVersion: tenancy.kcp.io/v1alpha1
kind: Workspace
metadata:
  annotations:
    experimental.tenancy.kcp.io/owner: '{"username":"system:serviceaccount:default:platform-mesh-provider-account-operator-kubeconfig","uid":"cad8af27-6d62-4812-8aed-58a3534c1388","groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"],"extra":{"authentication.kcp.io/cluster-name":["2zdbzrlcu6lvqr7p"],"authentication.kcp.io/scopes":["cluster:2zdbzrlcu6lvqr7p"],"authentication.kubernetes.io/credential-id":["JTI=1caa34c6-0c1b-4734-add3-8f64e013e46f"],"authorization.kcp.io/warrant":["{\"user\":\"system:serviceaccount:default:rest\",\"groups\":[\"system:kcp:admin\"],\"extra\":{\"authentication.kcp.io/cluster-name\":[\"61i8h8nir1vojygo\"]}}"]}}'
    internal.tenancy.kcp.io/cluster: w783vg53w9knl1pg
    internal.tenancy.kcp.io/shard: 1pfxsevk
    kcp.io/cluster: 61i8h8nir1vojygo
  creationTimestamp: "2026-04-16T09:29:26Z"
  finalizers:
  - core.kcp.io/logicalcluster
  generation: 2
  labels:
    claimed.internal.apis.kcp.io/1wVabe5nrBdMhOVrFU5daNajotbjc8DSNwod8j: 3ktWBQAZOnUKcf2gtbz5RUs0muUl7BYpzFMndV
    claimed.internal.apis.kcp.io/bUYYpNRaymXvse13R8kwpO85TH5wGSyS8qqCVi: 3ktWBQAZOnUKcf2gtbz5RUs0muUl7BYpzFMndV
    tenancy.kcp.io/phase: Initializing
  name: test8
  ownerReferences:
  - apiVersion: core.platform-mesh.io/v1alpha1
    kind: Account
    name: test8
    uid: f3a343f1-f261-4c10-8555-1e787e9ac21b
  resourceVersion: "41734"
  uid: 31c252c2-d239-478c-a81b-10a98fa67d51
spec:
  URL: https://localhost:8443/clusters/root:orgs:test8
  cluster: w783vg53w9knl1pg
  type:
    name: test8-org
    path: root:orgs
status:
  conditions:
  - lastTransitionTime: "2026-04-16T09:29:26Z"
    message: 'Initializers still exist: [61i8h8nir1vojygo:security system:apibindings]'
    reason: InitializerExists
    severity: Info
    status: "False"
    type: WorkspaceInitialized
  - lastTransitionTime: "2026-04-16T09:29:26Z"
    status: "True"
    type: WorkspaceScheduled
  initializers:
  - 61i8h8nir1vojygo:security
  - system:apibindings
  phase: Initializing
  terminators:
  - 61i8h8nir1vojygo:security

workspace-admin ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    internal.kcp.io/replicate: apis.kcp.io,tenancy.kcp.io
    kcp.io/cluster: w783vg53w9knl1pg
  creationTimestamp: "2026-04-16T09:29:26Z"
  name: workspace-admin
  resourceVersion: "41724"
  uid: ae304ac2-0b6b-4de3-aa90-07d9265752b3
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:serviceaccount:default:platform-mesh-provider-account-operator-kubeconfig

Steps To Reproduce

1. run task local-setup from helm-charts repo
2. load image for platform-mesh operator by running task docker:kind from this branch feat: workspace types migration platform-mesh/platform-mesh-operator#576
3. create an account resource in :root:orgs workspace. In a newly created workspace will be no apibindings

Expected Behaviour

Service accounts should be able to create workspaces programmatically, with workspace initialization completing successfully.

Additional Context

The planned solution is tracked in KEP-0003: Workspace Lifecycle RBAC and Issue #4016, which will provide more flexible identity handling for workspace creation and initialization.

[mjudeikis]

we need to implement this #4016 to fix this