operator-framework
diff --git a/‎api/v1/clusterextension_types.go‎
Lines changed: 4 additions & 7 deletions b/‎api/v1/clusterextension_types.go‎
Lines changed: 4 additions & 7 deletions
diff --git a/‎cmd/operator-controller/main.go‎
Lines changed: 1 addition & 6 deletions b/‎cmd/operator-controller/main.go‎
Lines changed: 1 addition & 6 deletions
diff --git a/‎config/samples/olm_v1_clusterextension.yaml‎
Lines changed: 7 additions & 5 deletions b/‎config/samples/olm_v1_clusterextension.yaml‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎docs/api-reference/olmv1-api-reference.md‎
Lines changed: 4 additions & 4 deletions b/‎docs/api-reference/olmv1-api-reference.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/draft/howto/use-synthetic-permissions.md‎
Lines changed: 0 additions & 133 deletions b/‎docs/draft/howto/use-synthetic-permissions.md‎
Lines changed: 0 additions & 133 deletions
diff --git a/‎docs/howto/derive-service-account.md‎
Lines changed: 21 additions & 10 deletions b/‎docs/howto/derive-service-account.md‎
Lines changed: 21 additions & 10 deletions
@@ -49,8 +49,8 @@ const (
 // ClusterExtensionSpec defines the desired state of ClusterExtension
 type ClusterExtensionSpec struct {
 	// namespace is a reference to a Kubernetes namespace.
-	// This is the namespace in which the provided ServiceAccount must exist.
-	// It also designates the default namespace where namespace-scoped resources
+	//
+	// This designates the default namespace where namespace-scoped resources
 	// for the extension are applied to the cluster.
 	// Some extensions may contain namespace-scoped resources to be applied in other namespaces.
 	// This namespace must exist.
@@ -69,8 +69,7 @@ type ClusterExtensionSpec struct {
 
 	// serviceAccount is a reference to a ServiceAccount used to perform all interactions
 	// with the cluster that are required to manage the extension.
-	// The ServiceAccount must be configured with the necessary permissions to perform these interactions.
-	// The ServiceAccount must exist in the namespace referenced in the spec.
+	// Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.
 	// serviceAccount is required.
 	//
 	// +kubebuilder:validation:Required
@@ -374,14 +373,12 @@ type CatalogFilter struct {
 	UpgradeConstraintPolicy UpgradeConstraintPolicy `json:"upgradeConstraintPolicy,omitempty"`
 }
 
-// ServiceAccountReference identifies the serviceAccount used fo install a ClusterExtension.
+// ServiceAccountReference identifies the serviceAccount name used for managing a ClusterExtension.
 type ServiceAccountReference struct {
 	// name is a required, immutable reference to the name of the ServiceAccount
 	// to be used for installation and management of the content for the package
 	// specified in the packageName field.
 	//
-	// This ServiceAccount must exist in the installNamespace.
-	//
 	// name follows the DNS subdomain standard as defined in [RFC 1123].
 	// It must contain only lowercase alphanumeric characters,
 	// hyphens (-) or periods (.), start and end with an alphanumeric character,
 
@@ -63,7 +63,6 @@ import (
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/action"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/authentication"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/client"
@@ -645,11 +644,7 @@ func setupHelm(
 	if err != nil {
 		return fmt.Errorf("unable to create core client: %w", err)
 	}
-	tokenGetter := authentication.NewTokenGetter(coreClient, authentication.WithExpirationDuration(1*time.Hour))
-	clientRestConfigMapper := action.ServiceAccountRestConfigMapper(tokenGetter)
-	if features.OperatorControllerFeatureGate.Enabled(features.SyntheticPermissions) {
-		clientRestConfigMapper = action.SyntheticUserRestConfigMapper(clientRestConfigMapper)
-	}
+	clientRestConfigMapper := action.ServiceAccountRestConfigMapper()
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(),
 		helmclient.StorageDriverMapper(action.ChunkedStorageDriverMapper(coreClient, mgr.GetAPIReader(), cfg.systemNamespace)),
 
@@ -4,11 +4,13 @@ kind: Namespace
 metadata:
   name: argocd
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argocd-installer
-  namespace: argocd
+# NOTE: The ServiceAccount resource is intentionally NOT created here.
+# OLM v1 uses Kubernetes impersonation and does not require the ServiceAccount to exist.
+# For security reasons, you should NOT create a ServiceAccount resource for the installer,
+# as it would be highly privileged and could be mounted by other pods in the namespace.
+# Instead, only the RBAC resources (ClusterRole, ClusterRoleBinding, Role, RoleBinding)
+# are created, which reference the ServiceAccount name "argocd-installer".
+# OLM will impersonate that ServiceAccount and be subject to these RBAC permissions.
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 
@@ -339,8 +339,8 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `namespace` _string_ | namespace is a reference to a Kubernetes namespace.<br />This is the namespace in which the provided ServiceAccount must exist.<br />It also designates the default namespace where namespace-scoped resources<br />for the extension are applied to the cluster.<br />Some extensions may contain namespace-scoped resources to be applied in other namespaces.<br />This namespace must exist.<br />namespace is required, immutable, and follows the DNS label standard<br />as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-),<br />start and end with an alphanumeric character, and be no longer than 63 characters<br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 63 <br />Required: \{\} <br /> |
-| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount is a reference to a ServiceAccount used to perform all interactions<br />with the cluster that are required to manage the extension.<br />The ServiceAccount must be configured with the necessary permissions to perform these interactions.<br />The ServiceAccount must exist in the namespace referenced in the spec.<br />serviceAccount is required. |  | Required: \{\} <br /> |
+| `namespace` _string_ | namespace is a reference to a Kubernetes namespace.<br />This designates the default namespace where namespace-scoped resources<br />for the extension are applied to the cluster.<br />Some extensions may contain namespace-scoped resources to be applied in other namespaces.<br />This namespace must exist.<br />namespace is required, immutable, and follows the DNS label standard<br />as defined in [RFC 1123]. It must contain only lowercase alphanumeric characters or hyphens (-),<br />start and end with an alphanumeric character, and be no longer than 63 characters<br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 63 <br />Required: \{\} <br /> |
+| `serviceAccount` _[ServiceAccountReference](#serviceaccountreference)_ | serviceAccount is a reference to a ServiceAccount used to perform all interactions<br />with the cluster that are required to manage the extension.<br />Appropriate RBAC must be configured to grant the necessary permissions to the ServiceAccount.<br />serviceAccount is required. |  | Required: \{\} <br /> |
 | `source` _[SourceConfig](#sourceconfig)_ | source is a required field which selects the installation source of content<br />for this ClusterExtension. Selection is performed by setting the sourceType.<br />Catalog is currently the only implemented sourceType, and setting the<br />sourcetype to "Catalog" requires the catalog field to also be defined.<br />Below is a minimal example of a source definition (in yaml):<br />source:<br />  sourceType: Catalog<br />  catalog:<br />    packageName: example-package |  | Required: \{\} <br /> |
 | `install` _[ClusterExtensionInstallConfig](#clusterextensioninstallconfig)_ | install is an optional field used to configure the installation options<br />for the ClusterExtension such as the pre-flight check configuration. |  |  |
 | `config` _[ClusterExtensionConfig](#clusterextensionconfig)_ | config is an optional field used to specify bundle specific configuration<br />used to configure the bundle. Configuration is bundle specific and a bundle may provide<br />a configuration schema. When not specified, the default configuration of the resolved bundle will be used.<br />config is validated against a configuration schema provided by the resolved bundle. If the bundle does not provide<br />a configuration schema the final manifests will be derived on a best-effort basis. More information on how<br />to configure the bundle should be found in its end-user documentation.<br /><opcon:experimental> |  |  |
@@ -439,7 +439,7 @@ _Appears in:_
 
 
 
-ServiceAccountReference identifies the serviceAccount used fo install a ClusterExtension.
+ServiceAccountReference identifies the serviceAccount name used for managing a ClusterExtension.
 
 
 
@@ -448,7 +448,7 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `name` _string_ | name is a required, immutable reference to the name of the ServiceAccount<br />to be used for installation and management of the content for the package<br />specified in the packageName field.<br />This ServiceAccount must exist in the installNamespace.<br />name follows the DNS subdomain standard as defined in [RFC 1123].<br />It must contain only lowercase alphanumeric characters,<br />hyphens (-) or periods (.), start and end with an alphanumeric character,<br />and be no longer than 253 characters.<br />Some examples of valid values are:<br />  - some-serviceaccount<br />  - 123-serviceaccount<br />  - 1-serviceaccount-2<br />  - someserviceaccount<br />  - some.serviceaccount<br />Some examples of invalid values are:<br />  - -some-serviceaccount<br />  - some-serviceaccount-<br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 253 <br />Required: \{\} <br /> |
+| `name` _string_ | name is a required, immutable reference to the name of the ServiceAccount<br />to be used for installation and management of the content for the package<br />specified in the packageName field.<br />name follows the DNS subdomain standard as defined in [RFC 1123].<br />It must contain only lowercase alphanumeric characters,<br />hyphens (-) or periods (.), start and end with an alphanumeric character,<br />and be no longer than 253 characters.<br />Some examples of valid values are:<br />  - some-serviceaccount<br />  - 123-serviceaccount<br />  - 1-serviceaccount-2<br />  - someserviceaccount<br />  - some.serviceaccount<br />Some examples of invalid values are:<br />  - -some-serviceaccount<br />  - some-serviceaccount-<br />[RFC 1123]: https://tools.ietf.org/html/rfc1123 |  | MaxLength: 253 <br />Required: \{\} <br /> |
 
 
 #### SourceConfig
 
@@ -1,7 +1,10 @@
-# Derive minimal ServiceAccount required for ClusterExtension Installation and Management
+# Derive minimal RBAC required for ClusterExtension Installation and Management
 
 OLM v1 does not have permission to install extensions on a cluster by default. In order to install a [supported bundle](../project/olmv1_limitations.md),
-OLM must be provided a ServiceAccount configured with the appropriate permissions.
+OLM must be configured with the appropriate RBAC permissions via a ServiceAccount reference in the ClusterExtension.
+
+!!! note "ServiceAccount Impersonation"
+    OLM v1 uses Kubernetes impersonation to act as the specified ServiceAccount. This means **the ServiceAccount does not need to physically exist** as a resource in the cluster. However, you must still create the RBAC resources (ClusterRole, Role, ClusterRoleBinding, RoleBinding) that grant permissions to that ServiceAccount, as OLM will be subject to those same permissions when impersonating it.
 
 This document serves as a guide for how to derive the RBAC necessary to install a bundle.
 
@@ -252,9 +255,12 @@ This example's `ClusterServiceVersion` can be found [here](https://github.com/ar
 #### Step 2: `ServiceAccount` permissions
 
 The installer service account must be able to create and manage the `ServiceAccount`(s) for the extension controller(s).
-The `ServiceAccount` name(s) can be found in deployment template in the `ClusterServiceVersion` resource packed in the bundle under `.spec.install.deployments`.
+The `ServiceAccount` name(s) can be found in the deployment template in the `ClusterServiceVersion` resource packed in the bundle under `.spec.install.deployments`.
 This example's `ClusterServiceVersion` can be found [here](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml).
 
+!!! note
+    These permissions are required for the installer to manage the extension controller's ServiceAccount, which is separate from the installer ServiceAccount referenced in the ClusterExtension spec.
+
 ```yaml
 - apiGroups: [""]
   resources: [serviceaccounts]
@@ -300,12 +306,14 @@ Therefore, the following permissions must be given to the installer service acco
 Once the installer service account required cluster-scoped and namespace-scoped permissions have been collected:
 
 1. Create the installation namespace
-2. Create the installer `ServiceAccount`
-3. Create the installer `ClusterRole`
-4. Create the `ClusterRoleBinding` between the installer service account and its cluster role
-5. Create the installer `Role`
-6. Create the `RoleBinding` between the installer service account and its role
-7. Create the `ClusterExtension`
+2. Create the installer `ClusterRole`
+3. Create the `ClusterRoleBinding` referencing the installer service account name
+4. Create the installer `Role`
+5. Create the `RoleBinding` referencing the installer service account name
+6. Create the `ClusterExtension`
+
+!!! warning "Do NOT Create the ServiceAccount Resource"
+    **For security reasons, you should NOT create an actual ServiceAccount resource.** OLM v1 uses Kubernetes impersonation and does not require the ServiceAccount to exist as a cluster resource. Since the installer ServiceAccount is typically highly privileged, creating it as an actual resource would allow any pod in the same namespace to potentially mount and use that ServiceAccount's credentials. By relying on impersonation only, you eliminate this security risk while still maintaining the same permission boundaries through RBAC.
 
 A manifest with the full set of resources can be found [here](https://github.com/operator-framework/operator-controller/blob/main/config/samples/olm_v1_clusterextension.yaml).
 
@@ -324,7 +332,7 @@ that this alternative only be used in test clusters. Never in production.
 Below is an example ClusterRoleBinding using the cluster-admin ClusterRole:
 
 ```terminal
-# Create ClusterRole
+# Create ClusterRoleBinding
 kubectl apply -f - <<EOF
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -349,6 +357,9 @@ kubectl create clusterrolebinding my-cluster-extension-installer-role-binding \
   --serviceaccount=my-cluster-extension-namespace:my-cluster-installer-service-account
 ```
 
+!!! note
+    Remember: Do **not** create an actual ServiceAccount resource. The ClusterRoleBinding references the ServiceAccount by name only, and OLM will impersonate it.
+
 ### hack/tools/catalog
 
 In the spirit of making this process more tenable until the proper tools are in place, the scripts