-
Notifications
You must be signed in to change notification settings - Fork 67
📖 Document OLMv1 permission model #1380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 9 commits
Commits
Show all changes
18 commits
Select commit
Hold shift + click to select a range
664a51f
changes to derice minimum service account
rashmi43 75c5f7c
remove headers
rashmi43 24d93f1
add details about registry+v1 support
rashmi43 fdf7e9d
render yml correctly
rashmi43 ba9193d
Merge branch 'operator-framework:main' into main
rashmi43 4067d8c
Merge branch 'operator-framework:main' into main
rashmi43 a6b2ebc
Merge branch 'operator-framework:main' into main
rashmi43 ccfd9a9
create doc for olmv1 permission model
rashmi43 c40dce6
Delete docs/drafts directory
rashmi43 2e5fcba
Update permission-model.md
rashmi43 7bcdd89
update permission models with link
rashmi43 23223b4
add space
rashmi43 65aece4
add more structure
rashmi43 34efe90
incorporate review comments
rashmi43 3875b46
incorporate review comments
rashmi43 b27dfa9
pers review comments-s
rashmi43 a36a0de
example as header-s
rashmi43 ad0a648
update the example
rashmi43 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| #### OLMv1 Permission Model | ||
|
|
||
| Here we aim to describe the OLMv1 permission model in terms of RBAC defined for the ClusterExtension and RBAC contained in the operator bundle ClusterServiceVersion. | ||
|
|
||
| The OLMv1 operator-controller generates a service account for the deployment and RBAC for the service account based on the contents of the ClusterServiceVersion in much the same way that OLMv0 does. The ClusterExtension CR also defines a service account to deploy and manage the ClusterExtension lifecycle. | ||
|
|
||
| For registry+v1 bundles, the deployment's service account is separate and use for managing the controller logic. Its RBAC is derived purely from the RBAC that is defined in the CSV. | ||
| The ClusterExtension service account manages the lifecycle of the bundle contents and requires RBAC that allows it to manage that lifecycle. The ClusterExtension service account needs permissions to manage the manifests that are defined by the bundle. | ||
|
|
||
| Since the operator bundle contains its own RBAC, it means the ClusterExtension service account requires either: | ||
| the same set of permissions that are defined in the RBAC that it is trying to create. | ||
| bind/escalate verbs for RBAC, OR | ||
| See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping | ||
|
|
||
| The ClusterExtension permissions are not added to the deployment. The ClusterExtension service account and the bundle's service accounts are for different purposes. Naming conflicts between the two service accounts can lead to failure of ClusterExtension deployment. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.