Enable SyntheticPermissions feature gate for experimental channel

This commit enables the SyntheticPermissions feature to allow
ClusterExtensions to operate without specifying a ServiceAccount by
authenticating as synthetic users.

Feature gate changes:
- Enabled SyntheticPermissions in experimental channel (helm)
- Enabled SyntheticPermissions in tilt configuration

RBAC changes:
- Added conditional RBAC rules for impersonating users and the
  "olm:clusterextensions" group when SyntheticPermissions is enabled
- Kept existing serviceaccounts/token permissions for token-based auth

Logic changes:
- Updated SyntheticUserRestConfigMapper to check for empty SA name
  instead of synthetic-user sentinel value
- Modified NewRBACPreAuthorizer to accept a userInfoMapper function
- Implemented userInfoMapper in main.go to return synthetic user info
  when SA name is empty and feature gate is enabled, otherwise returns
  standard service account user info
- Updated authorization tests to work with new userInfoMapper pattern

With these changes:
- When ServiceAccount.Name is empty and SyntheticPermissions is enabled:
  authenticates as "olm:clusterextension:<name>" with group
  "olm:clusterextensions" using impersonation
- When ServiceAccount.Name is specified: uses existing token-based
  authentication (unchanged)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: joelanford

cmd/operator-controller/main.go

@@ -36,6 +36,7 @@ import (
 	k8slabels "k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	apimachineryrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/discovery/cached/memory"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -671,7 +672,15 @@ func setupHelm(
 	// determine if PreAuthorizer should be enabled based on feature gate
 	var preAuth authorization.PreAuthorizer
 	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-		preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient())
+		preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient(), func(ext *ocv1.ClusterExtension) (*user.DefaultInfo, error) {
+			if ext.Spec.ServiceAccount.Name == "" && features.OperatorControllerFeatureGate.Enabled(features.SyntheticPermissions) {
+				syntheticConfig := authentication.SyntheticImpersonationConfig(*ext)
+				return &user.DefaultInfo{Name: syntheticConfig.UserName, Groups: syntheticConfig.Groups}, nil
+			} else if ext.Spec.ServiceAccount.Name == "" || ext.Spec.Namespace == "" {
+				return nil, errors.New("service account name and namespace must be specified")
+			}
+			return &user.DefaultInfo{Name: fmt.Sprintf("system:serviceaccount:%s:%s", ext.Spec.Namespace, ext.Spec.ServiceAccount.Name)}, nil
+		})
 	}
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())

docs/draft/howto/use-synthetic-permissions.md

@@ -8,7 +8,7 @@ Synthetic user permissions enables fine-grained configuration of ClusterExtensio
 User can not only configure RBAC permissions governing the management across all ClusterExtensions, but also on a 
 case-by-case basis.
 
-### Run OLM v1with Experimental Features Enabled
+### Run OLM v1 with Experimental Features Enabled
 
 ```terminal title=Enable Experimental Features in a New Kind Cluster
 make run-experimental
@@ -20,10 +20,11 @@ kubectl rollout status -n olmv1-system deployment/operator-controller-controller
 
 ### How does it work?
 
-When managing a ClusterExtension, OLM will assume the identity of user "olm:clusterextensions:<clusterextension-name>"
-and group "olm:clusterextensions" limiting Kubernetes API access scope to those defined for this user and group. These
-users and group do not exist beyond being defined in Cluster/RoleBinding(s) and can only be impersonated by clients with
- `impersonate` verb permissions on the `users` and `groups` resources.
+When managing a ClusterExtension that does not specify a service account, OLM will assume the identity of user
+"olm:clusterextension:<clusterextension-name>" and group "olm:clusterextensions" limiting Kubernetes API access scope
+to those defined for this user and group. These users and group do not exist beyond being defined in
+Cluster/RoleBinding(s) and can only be impersonated by clients with `impersonate` verb permissions on the `users` and
+`groups` resources.
 
 ### Demo
 
@@ -50,7 +51,7 @@ subjects:
   name: "olm:clusterextensions"
 ```
 
-##### Scoped olm:clusterextension group + Added perms on specific extensions
+##### Scoped olm:clusterextensions group + Added perms on specific extensions
 
 Give ClusterExtension management group broad permissions to manage ClusterExtensions denying potentially dangerous
 permissions such as being able to read cluster wide secrets:

hack/demo/resources/synthetic-user-perms/argocd-clusterextension.yaml

@@ -4,8 +4,6 @@ metadata:
   name: argocd-operator
 spec:
   namespace: argocd-system
-  serviceAccount:
-    name: "olm.synthetic-user"
   source:
     sourceType: Catalog
     catalog:

hack/demo/synthetic-user-cluster-admin-demo-script.sh

@@ -20,7 +20,7 @@ bat --style=plain ${DEMO_RESOURCE_DIR}/synthetic-user-perms/cegroup-admin-bindin
 # apply cluster role binding
 kubectl apply -f ${DEMO_RESOURCE_DIR}/synthetic-user-perms/cegroup-admin-binding.yaml
 
-# install cluster extension - for now .spec.serviceAccount = "olm.synthetic-user"
+# install cluster extension without specifying .spec.serviceAccount
 bat --style=plain ${DEMO_RESOURCE_DIR}/synthetic-user-perms/argocd-clusterextension.yaml
 
 # apply cluster extension

helm/experimental.yaml

@@ -13,6 +13,7 @@ options:
         - PreflightPermissions
         - HelmChartSupport
         - BoxcutterRuntime
+        - SyntheticPermissions
       disabled:
         - WebhookProviderOpenshiftServiceCA
 # List of enabled experimental features for catalogd

helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml

@@ -1,4 +1,4 @@
-{{- if and .Values.options.operatorController.enabled (not (has "BoxcutterRuntime" .Values.operatorConrollerFeatures)) }}
+{{- if and .Values.options.operatorController.enabled (not (has "BoxcutterRuntime" .Values.options.operatorController.features.enabled)) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -15,6 +15,22 @@ rules:
       - serviceaccounts/token
     verbs:
       - create
+  {{- if (has "SyntheticPermissions" .Values.options.operatorController.features.enabled) }}
+  - apiGroups:
+      - ""
+    resources:
+      - users
+    verbs:
+      - impersonate
+  - apiGroups:
+      - ""
+    resources:
+      - groups
+    resourceNames:
+      - olm:clusterextensions
+    verbs:
+      - impersonate
+  {{- end }}
   - apiGroups:
       - apiextensions.k8s.io
     resources:

helm/tilt.yaml

@@ -17,6 +17,8 @@ options:
         - SingleOwnNamespaceInstallSupport
         - PreflightPermissions
         - HelmChartSupport
+        - BoxcutterRuntime
+        - SyntheticPermissions
       disabled:
         - WebhookProviderOpenshiftServiceCA
   catalogd:

internal/operator-controller/action/restconfig.go

@@ -14,18 +14,15 @@ import (
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authentication"
 )
 
-const syntheticServiceAccountName = "olm.synthetic-user"
-
 // SyntheticUserRestConfigMapper returns an AuthConfigMapper that that impersonates synthetic users and groups for Object o.
-// o is expected to be a ClusterExtension. If the service account defined in o is different from 'olm.synthetic-user', the
-// defaultAuthMapper will be used
+// o is expected to be a ClusterExtension. If the service account is defined in o, the defaultAuthMapper will be used.
 func SyntheticUserRestConfigMapper(defaultAuthMapper func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error)) func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {
 	return func(ctx context.Context, o client.Object, c *rest.Config) (*rest.Config, error) {
 		cExt, err := validate(o, c)
 		if err != nil {
 			return nil, err
 		}
-		if cExt.Spec.ServiceAccount.Name != syntheticServiceAccountName {
+		if cExt.Spec.ServiceAccount.Name != "" {
 			return defaultAuthMapper(ctx, cExt, c)
 		}
 		cc := rest.CopyConfig(c)

internal/operator-controller/action/restconfig_test.go

@@ -98,22 +98,10 @@ func Test_SyntheticUserRestConfigMapper_Fails(t *testing.T) {
 		},
 	} {
 		t.Run(tc.description, func(t *testing.T) {
-			tokenGetter := &authentication.TokenGetter{}
-			saMapper := action.ServiceAccountRestConfigMapper(tokenGetter)
+			saMapper := action.SyntheticUserRestConfigMapper(nil)
 			actualCfg, err := saMapper(context.Background(), tc.obj, tc.cfg)
-			if tc.expectedError != nil {
-				require.Nil(t, actualCfg)
-				require.EqualError(t, err, tc.expectedError.Error())
-			} else {
-				require.NoError(t, err)
-				transport, err := rest.TransportFor(actualCfg)
-				require.NoError(t, err)
-				require.NotNil(t, transport)
-				tokenInjectionRoundTripper, ok := transport.(*authentication.TokenInjectingRoundTripper)
-				require.True(t, ok)
-				require.Equal(t, tokenGetter, tokenInjectionRoundTripper.TokenGetter)
-				require.Equal(t, types.NamespacedName{Name: "my-service-account", Namespace: "my-namespace"}, tokenInjectionRoundTripper.Key)
-			}
+			require.Nil(t, actualCfg)
+			require.EqualError(t, err, tc.expectedError.Error())
 		})
 	}
 }
@@ -150,9 +138,6 @@ func Test_SyntheticUserRestConfigMapper_UsesSyntheticAuthMapper(t *testing.T) {
 			Name: "my-clusterextension",
 		},
 		Spec: ocv1.ClusterExtensionSpec{
-			ServiceAccount: ocv1.ServiceAccountReference{
-				Name: "olm.synthetic-user",
-			},
 			Namespace: "my-namespace",
 		},
 	}

internal/operator-controller/authorization/rbac.go

@@ -55,13 +55,17 @@ var namespacedCollectionVerbs = []string{"create"}
 var clusterCollectionVerbs = []string{"list", "watch"}
 
 type rbacPreAuthorizer struct {
+	getUserInfo  userInfoMapper
 	authorizer   authorizer.Authorizer
 	ruleResolver validation.AuthorizationRuleResolver
 	restMapper   meta.RESTMapper
 }
 
-func NewRBACPreAuthorizer(cl client.Client) PreAuthorizer {
+type userInfoMapper func(extension *ocv1.ClusterExtension) (*user.DefaultInfo, error)
+
+func NewRBACPreAuthorizer(cl client.Client, getUserInfo userInfoMapper) PreAuthorizer {
 	return &rbacPreAuthorizer{
+		getUserInfo:  getUserInfo,
 		authorizer:   newRBACAuthorizer(cl),
 		ruleResolver: newRBACRulesResolver(cl),
 		restMapper:   cl.RESTMapper(),
@@ -84,7 +88,11 @@ func (a *rbacPreAuthorizer) PreAuthorize(ctx context.Context, ext *ocv1.ClusterE
 	if err != nil {
 		return nil, err
 	}
-	manifestManager := &user.DefaultInfo{Name: fmt.Sprintf("system:serviceaccount:%s:%s", ext.Spec.Namespace, ext.Spec.ServiceAccount.Name)}
+
+	manifestManager, err := a.getUserInfo(ext)
+	if err != nil {
+		return nil, fmt.Errorf("error getting user info mapping from clusterextension: %v", err)
+	}
 	attributesRecords := dm.asAuthorizationAttributesRecordsForUser(manifestManager, ext)
 
 	var preAuthEvaluationErrors []error