operator-framework
diff --git a/‎api/v1/clusterextension_types.go‎
Lines changed: 25 additions & 5 deletions b/‎api/v1/clusterextension_types.go‎
Lines changed: 25 additions & 5 deletions
diff --git a/‎cmd/operator-controller/main.go‎
Lines changed: 15 additions & 1 deletion b/‎cmd/operator-controller/main.go‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎docs/api-reference/olmv1-api-reference.md‎
Lines changed: 3 additions & 3 deletions b/‎docs/api-reference/olmv1-api-reference.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/draft/howto/use-synthetic-permissions.md‎
Lines changed: 134 additions & 0 deletions b/‎docs/draft/howto/use-synthetic-permissions.md‎
Lines changed: 134 additions & 0 deletions
@@ -55,6 +55,13 @@ type ClusterExtensionSpec struct {
 	// Some extensions may contain namespace-scoped resources to be applied in other namespaces.
 	// This namespace must exist.
 	//
+	// <opcon:standard:description>
+	// This is also the namespace of the referenced service account.
+	// </opcon:standard:description>
+	// <opcon:experimental:description>
+	// This is also the namespace of the referenced service account, if specified.
+	// </opcon:experimental:description>
+	//
 	// namespace is required, immutable, and follows the DNS label standard
 	// as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-),
 	// start and end with an alphanumeric character, and be no longer than 63 characters
@@ -69,11 +76,24 @@ type ClusterExtensionSpec struct {
 
 	// serviceAccount is a reference to a ServiceAccount used to perform all interactions
 	// with the cluster that are required to manage the extension.
-	// Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.
+	// <opcon:standard:description>
+	// The ServiceAccount must be configured with the necessary permissions to perform these interactions.
+	//
 	// serviceAccount is required.
+	// </opcon:standard:description>
 	//
-	// +kubebuilder:validation:Required
-	ServiceAccount ServiceAccountReference `json:"serviceAccount"`
+	// <opcon:experimental:description>
+	// If serviceAccount is specified, OLM will authenticate as that service account.
+	// Otherwise, operator-controller will authenticate as:
+	//   - User:  "olmv1:clusterextensions:<clusterExtensionName>"
+	//   - Group: "olmv1:clusterextensions"
+	//
+	// The authenticated user must be configured with the necessary permissions to perform these interactions.
+	// </opcon:experimental:description>
+	//
+	// <opcon:standard:validation:Required>
+	// <opcon:experimental:validation:Optional>
+	ServiceAccount ServiceAccountReference `json:"serviceAccount,omitzero"`
 
 	// source is a required field which selects the installation source of content
 	// for this ClusterExtension. Selection is performed by setting the sourceType.
@@ -373,7 +393,7 @@ type CatalogFilter struct {
 	UpgradeConstraintPolicy UpgradeConstraintPolicy `json:"upgradeConstraintPolicy,omitempty"`
 }
 
-// ServiceAccountReference identifies the serviceAccount name used for managing a ClusterExtension.
+// ServiceAccountReference identifies the serviceAccount name used to manage a ClusterExtension.
 type ServiceAccountReference struct {
 	// name is a required, immutable reference to the name of the ServiceAccount
 	// to be used for installation and management of the content for the package
@@ -401,7 +421,7 @@ type ServiceAccountReference struct {
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable"
 	// +kubebuilder:validation:XValidation:rule="self.matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters"
 	// +kubebuilder:validation:Required
-	Name string `json:"name"`
+	Name string `json:"name,omitempty"`
 }
 
 // PreflightConfig holds the configuration for the preflight checks.  If used, at least one preflight check must be non-nil.
 
@@ -36,6 +36,7 @@ import (
 	k8slabels "k8s.io/apimachinery/pkg/labels"
 	k8stypes "k8s.io/apimachinery/pkg/types"
 	apimachineryrand "k8s.io/apimachinery/pkg/util/rand"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/discovery/cached/memory"
 	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -63,6 +64,7 @@ import (
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/action"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/authentication"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/client"
@@ -645,6 +647,9 @@ func setupHelm(
 		return fmt.Errorf("unable to create core client: %w", err)
 	}
 	clientRestConfigMapper := action.ServiceAccountRestConfigMapper()
+	if features.OperatorControllerFeatureGate.Enabled(features.SyntheticPermissions) {
+		clientRestConfigMapper = action.SyntheticUserRestConfigMapper(clientRestConfigMapper)
+	}
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(),
 		helmclient.StorageDriverMapper(action.ChunkedStorageDriverMapper(coreClient, mgr.GetAPIReader(), cfg.systemNamespace)),
@@ -668,7 +673,16 @@ func setupHelm(
 	// determine if PreAuthorizer should be enabled based on feature gate
 	var preAuth authorization.PreAuthorizer
 	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-		preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient())
+		preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient(), func(ext *ocv1.ClusterExtension) (*user.DefaultInfo, error) {
+			if ext.Spec.ServiceAccount.Name == "" && features.OperatorControllerFeatureGate.Enabled(features.SyntheticPermissions) {
+				syntheticConfig := authentication.SyntheticImpersonationConfig(*ext)
+				return &user.DefaultInfo{Name: syntheticConfig.UserName, Groups: syntheticConfig.Groups}, nil
+			} else if ext.Spec.ServiceAccount.Name == "" || ext.Spec.Namespace == "" {
+				return nil, errors.New("service account name and namespace must be specified")
+			}
+			saConfig := authentication.ServiceAccountImpersonationConfig(*ext)
+			return &user.DefaultInfo{Name: saConfig.UserName, Groups: saConfig.Groups}, nil
+		})
 	}
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())
 
@@ -339,8 +339,8 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `namespace` _string_ | namespace is a reference to a Kubernetes namespace.<br />This designates the default namespace where namespace-scoped resources<br />for the extension are applied to the cluster.<br />Some extensions may contain namespace-scoped resources to be applied in other namespaces.<br />This namespace must exist.<br />namespace is required, immutable, and follows the DNS label standard<br />as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-),<br />start and end with an alphanumeric character, and be no longer than 63 characters<br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 63 <br />Required: \{\} <br /> |
-| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount is a reference to a ServiceAccount used to perform all interactions<br />with the cluster that are required to manage the extension.<br />Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.<br />serviceAccount is required. |  | Required: \{\} <br /> |
+| `namespace` _string_ | namespace is a reference to a Kubernetes namespace.<br />This designates the default namespace where namespace-scoped resources<br />for the extension are applied to the cluster.<br />Some extensions may contain namespace-scoped resources to be applied in other namespaces.<br />This namespace must exist.<br /><opcon:standard:description><br />This is also the namespace of the referenced service account.<br /></opcon:standard:description><br /><opcon:experimental:description><br />This is also the namespace of the referenced service account, if specified.<br /></opcon:experimental:description><br />namespace is required, immutable, and follows the DNS label standard<br />as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-),<br />start and end with an alphanumeric character, and be no longer than 63 characters<br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 63 <br />Required: \{\} <br /> |
+| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount is a reference to a ServiceAccount used to perform all interactions<br />with the cluster that are required to manage the extension.<br /><opcon:standard:description><br />The ServiceAccount must be configured with the necessary permissions to perform these interactions.<br />serviceAccount is required.<br /></opcon:standard:description><br /><opcon:experimental:description><br />If serviceAccount is specified, OLM will authenticate as that service account.<br />Otherwise, operator-controller will authenticate as:<br />  - User:  "olmv1:clusterextensions:<clusterExtensionName>"<br />  - Group: "olmv1:clusterextensions"<br />The authenticated user must be configured with the necessary permissions to perform these interactions.<br /></opcon:experimental:description><br /><opcon:standard:validation:Required><br /><opcon:experimental:validation:Optional> |  |  |
 | `source` _[SourceConfig](#sourceconfig)_ | source is a required field which selects the installation source of content<br />for this ClusterExtension. Selection is performed by setting the sourceType.<br />Catalog is currently the only implemented sourceType, and setting the<br />sourcetype to "Catalog" requires the catalog field to also be defined.<br />Below is a minimal example of a source definition (in yaml):<br />source:<br />  sourceType: Catalog<br />  catalog:<br />    packageName: example-package |  | Required: \{\} <br /> |
 | `install` _[ClusterExtensionInstallConfig](#clusterextensioninstallconfig)_ | install is an optional field used to configure the installation options<br />for the ClusterExtension such as the pre-flight check configuration. |  |  |
 | `config` _[ClusterExtensionConfig](#clusterextensionconfig)_ | config is an optional field used to specify bundle specific configuration<br />used to configure the bundle. Configuration is bundle specific and a bundle may provide<br />a configuration schema. When not specified, the default configuration of the resolved bundle will be used.<br />config is validated against a configuration schema provided by the resolved bundle. If the bundle does not provide<br />a configuration schema the final manifests will be derived on a best-effort basis. More information on how<br />to configure the bundle should be found in its end-user documentation.<br /><opcon:experimental> |  |  |
@@ -439,7 +439,7 @@ _Appears in:_
 
 
 
-ServiceAccountReference identifies the serviceAccount name used for managing a ClusterExtension.
+ServiceAccountReference identifies the serviceAccount name used to manage a ClusterExtension.
 
 
 
 
@@ -0,0 +1,134 @@
+## Synthetic User Permissions
+
+!!! note
+This feature is still in *alpha* the `SyntheticPermissions` feature-gate must be enabled to make use of it.
+See the instructions below on how to enable it.
+
+Synthetic user permissions enables fine-grained configuration of ClusterExtension management client RBAC permissions.
+User can not only configure RBAC permissions governing the management across all ClusterExtensions, but also on a 
+case-by-case basis.
+
+### Run OLM v1 with Experimental Features Enabled
+
+```terminal title=Enable Experimental Features in a New Kind Cluster
+make run-experimental
+```
+
+```terminal title=Wait for rollout to complete
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager 
+```
+
+### How does it work?
+
+When managing a ClusterExtension that does not specify a service account, OLM will assume the identity of user
+"olm:clusterextensions:<clusterextension-name>" and group "olm:clusterextensions" limiting Kubernetes API access scope
+to those defined for this user and group. These users and group do not exist beyond being defined in
+Cluster/RoleBinding(s) and can only be impersonated by clients with `impersonate` verb permissions on the `users` and
+`groups` resources.
+
+### Demo
+
+[![asciicast](https://asciinema.org/a/Jbtt8nkV8Dm7vriHxq7sxiVvi.svg)](https://asciinema.org/a/Jbtt8nkV8Dm7vriHxq7sxiVvi)
+
+#### Examples:
+
+##### ClusterExtension management as cluster-admin
+
+To enable ClusterExtensions management as cluster-admin, bind the `cluster-admin` cluster role to the `olm:clusterextensions`
+group:
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: clusterextensions-group-admin-binding
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: cluster-admin
+subjects:
+- kind: Group
+  name: "olm:clusterextensions"
+```
+
+##### Scoped olm:clusterextensions group + Added perms on specific extensions
+
+Give ClusterExtension management group broad permissions to manage ClusterExtensions denying potentially dangerous
+permissions such as being able to read cluster wide secrets:
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: clusterextension-installer
+rules:
+  - apiGroups: [ olm.operatorframework.io ]
+    resources: [ clusterextensions/finalizers ]
+    verbs: [ update ]
+  - apiGroups: [ apiextensions.k8s.io ]
+    resources: [ customresourcedefinitions ]
+    verbs: [ create, list, watch, get, update, patch, delete ]
+  - apiGroups: [ rbac.authorization.k8s.io ]
+    resources: [ clusterroles, roles, clusterrolebindings, rolebindings ]
+    verbs: [ create, list, watch, get, update, patch, delete ]
+  - apiGroups: [""]
+    resources: [configmaps, endpoints, events, pods, pod/logs, serviceaccounts, services, services/finalizers, namespaces, persistentvolumeclaims]
+    verbs: ['*']
+  - apiGroups: [apps]
+    resources: [ '*' ]
+    verbs: ['*']
+  - apiGroups: [ batch ]
+    resources: [ '*' ]
+    verbs: [ '*' ]
+  - apiGroups: [ networking.k8s.io ]
+    resources: [ '*' ]
+    verbs: [ '*' ]
+  - apiGroups: [authentication.k8s.io]
+    resources: [tokenreviews, subjectaccessreviews]
+    verbs: [create]
+```
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: clusterextension-installer-binding
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: clusterextension-installer
+subjects:
+- kind: Group
+  name: "olm:clusterextensions"
+```
+
+Give a specific ClusterExtension secrets access, maybe even on specific namespaces:
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+    name: clusterextension-privileged
+rules:
+- apiGroups: [""]
+  resources: [secrets]
+  verbs: ['*']
+```
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+    name: clusterextension-privileged-binding
+    namespace: <some namespace>
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: clusterextension-privileged
+subjects:
+- kind: User
+  name: "olm:clusterextensions:argocd-operator"
+```
+
+Note: In this example the ClusterExtension user (or group) will still need to be updated to be able to manage
+the CRs coming from the argocd operator. Some look ahead and RBAC permission wrangling will still be required.