Skip to content

📖 Document OLMv1 permission model #1380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
Nov 18, 2024
Merged

📖 Document OLMv1 permission model #1380

Changes from 10 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
664a51f
changes to derice minimum service account
rashmi43 Sep 9, 2024
75c5f7c
remove headers
rashmi43 Sep 9, 2024
24d93f1
add details about registry+v1 support
rashmi43 Sep 10, 2024
fdf7e9d
render yml correctly
rashmi43 Sep 10, 2024
ba9193d
Merge branch 'operator-framework:main' into main
rashmi43 Oct 8, 2024
4067d8c
Merge branch 'operator-framework:main' into main
rashmi43 Oct 10, 2024
a6b2ebc
Merge branch 'operator-framework:main' into main
rashmi43 Oct 16, 2024
ccfd9a9
create doc for olmv1 permission model
rashmi43 Oct 16, 2024
c40dce6
Delete docs/drafts directory
rashmi43 Oct 16, 2024
2e5fcba
Update permission-model.md
rashmi43 Oct 17, 2024
7bcdd89
update permission models with link
rashmi43 Oct 17, 2024
23223b4
add space
rashmi43 Oct 17, 2024
65aece4
add more structure
rashmi43 Oct 21, 2024
34efe90
incorporate review comments
rashmi43 Oct 24, 2024
3875b46
incorporate review comments
rashmi43 Oct 25, 2024
b27dfa9
pers review comments-s
rashmi43 Nov 6, 2024
a36a0de
example as header-s
rashmi43 Nov 6, 2024
ad0a648
update the example
rashmi43 Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions docs/concepts/permission-model.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#### OLMv1 Permission Model

Here we aim to describe the OLMv1 permission model. OLMv1 itself does not have permission to manage the installation and lifecycle of cluster extensions. Rather, it requires that each cluster extension specifies a service account that will be used to manage its bundle contents.


1) The purpose of the service account specified in the ClusterExtension spec, which is to manage everything in (2) below.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the structure of this section is a little bit unclear. Maybe we could call attention to the fact that the installer service account and the service account for the cluster extension's Deployment have different purposes: the first manages the lifecycle of the cluster extensions - so it needs to be able to create/modify the resources packed in the bundle, and assign RBAC to the extension's Deployment SA. And, the second, gives the extension controller the RBAC it needs to do its business.

I think most of that information is already here, we should just restructure it a bit to make clear this distinction and the roles of each of the SAs

2) The contents of the bundle, which may contain more service accounts and RBAC. Since the operator bundle contains its own RBAC, it means the ClusterExtension service account requires either:
- the same set of permissions that are defined in the RBAC that it is trying to create.
- bind/escalate verbs for RBAC, OR
See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping
4) The OLMv1 operator-controller generates a service account for the deployment and RBAC for the service account based on the contents of the ClusterServiceVersion in much the same way that OLMv0 does. The ClusterExtension CR also defines a service account to deploy and manage the ClusterExtension lifecycle

The ClusterExtension permissions are not added to the deployment. The ClusterExtension service account and the bundle's service accounts are for different purposes. Naming conflicts between the two service accounts can lead to failure of ClusterExtension deployment.