-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
Ref: https://github.ibm.com/PrivateCloud-analytics/CPD-Quality/issues/44029
Problem Description:
There is non compliance found in cert-manager Operator for Red Hat OpenShift.Â
cpd_nc_sh_026_csv_clusterPermissions_present
CSV: cert-manager-operator.v1.15.1 - we are using this in CPD.
ClusterPermissions give operators cluster-wide access, which violates CPD’s requirement for namespace-scoped RBAC.
This poses a security risk by enabling potential privilege escalation for tenant admins through service account tokens. So, we need the clusterpermissions removed from CSV's.
CSV info:
Â
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
 annotations:
  alm-examples: |-
   [
    {
     "apiVersion": "acme.cert-manager.io/v1",
     "kind": "Challenge",
     "metadata": {
      "name": "tls-cert-sample",
      "namespace": "default"
     },
     "spec": {
      "authorizationURL": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/XXXXX",
      "dnsName": "sample.dns.name",
      "issuerRef": {
       "kind": "Issuer",
       "name": "letsencrypt-staging"
      },
      "key": "XXX",
      "solver": {
       "dns01": {
        "route53": {
         "accessKeyID": "XXX",
         "hostedZoneID": "XXX",
         "region": "us-east-1",
         "secretAccessKeySecretRef": {
          "key": "awsSecretAccessKey",
          "name": "aws-secret"
         }
        }
       },
       "selector": {
        "dnsNames": [
         "sample.dns.name"
        ]
       }
      },
      "token": "XXX",
      "type": "DNS-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/XXXXXX/XXXXX",
      "wildcard": false
     }
    },
    {
     "apiVersion": "acme.cert-manager.io/v1",
     "kind": "Order",
     "metadata": {
      "annotations": {
       "cert-manager.io/certificate-name": "tls-cert",
       "cert-manager.io/certificate-revision": "1",
       "cert-manager.io/private-key-secret-name": "tls-cert-sample"
      },
      "name": "tls-cert-sample",
      "namespace": "default"
     },
     "spec": {
      "commonName": "sample.dns.name",
      "dnsNames": [
       "sample.dns.name"
      ],
      "issuerRef": {
       "kind": "Issuer",
       "name": "letsencrypt-staging"
      },
      "request": "XXX"
     }
    },
    {
     "apiVersion": "cert-manager.io/v1",
     "kind": "Certificate",
     "metadata": {
      "name": "selfsigned-ca",
      "namespace": "default"
     },
     "spec": {
      "commonName": "selfsigned-ca.dns.name",
      "isCA": true,
      "issuerRef": {
       "group": "cert-manager.io",
       "kind": "ClusterIssuer",
       "name": "selfsigned-issuer"
      },
      "privateKey": {
       "algorithm": "ECDSA",
       "size": 256
      },
      "secretName": "ca-root-secret"
     }
    },
    {
     "apiVersion": "cert-manager.io/v1",
     "kind": "Certificate",
     "metadata": {
      "name": "tls-cert",
      "namespace": "default"
     },
     "spec": {
      "commonName": "sample.dns.name",
      "dnsNames": [
       "sample.dns.name"
      ],
      "isCA": false,
      "issuerRef": {
       "kind": "Issuer",
       "name": "letsencrypt-staging"
      },
      "secretName": "tls-cert"
     }
    },
    {
     "apiVersion": "cert-manager.io/v1",
     "kind": "CertificateRequest",
     "metadata": {
      "annotations": {
       "cert-manager.io/certificate-name": "tls-cert",
       "cert-manager.io/certificate-revision": "1",
       "cert-manager.io/private-key-secret-name": "tls-cert-sample"
      },
      "name": "tls-cert-sample",
      "namespace": "default"
     },
     "spec": {
      "groups": [
       "system:serviceaccounts",
       "system:serviceaccounts:cert-manager",
       "system:authenticated"
      ],
      "issuerRef": {
       "kind": "Issuer",
       "name": "letsencrypt-staging"
      },
      "request": "XXX",
      "username": "system:serviceaccount:cert-manager:cert-manager"
     }
    },
    {
     "apiVersion": "cert-manager.io/v1",
     "kind": "ClusterIssuer",
     "metadata": {
      "name": "selfsigned-issuer"
     },
     "spec": {
      "selfSigned": {}
     }
    },
    {
     "apiVersion": "cert-manager.io/v1",
     "kind": "Issuer",
     "metadata": {
      "name": "ca-issuer",
      "namespace": "default"
     },
     "spec": {
      "ca": {
       "secretName": "ca-root-secret"
      }
     }
    },
    {
     "apiVersion": "cert-manager.io/v1",
     "kind": "Issuer",
     "metadata": {
      "name": "letsencrypt-staging",
      "namespace": "default"
     },
     "spec": {
      "acme": {
       "email": "aos-ci-cd@redhat.com",
       "privateKeySecretRef": {
        "name": "letsencrypt-staging"
       },
       "server": "https://acme-staging-v02.api.letsencrypt.org/directory",
       "solvers": [
        {
         "dns01": {
          "route53": {
           "accessKeyID": "ACCESS_KEY_ID",
           "hostedZoneID": "HOSTED_ZONE_ID",
           "region": "AWS_REGION",
           "secretAccessKeySecretRef": {
            "key": "access-key",
            "name": "sample-aws-secret"
           }
          }
         },
         "selector": {
          "dnsNames": [
           "sample.dns.name"
          ]
         }
        }
       ]
      }
     }
    },
    {
     "apiVersion": "operator.openshift.io/v1alpha1",
     "kind": "CertManager",
     "metadata": {
      "name": "cluster"
     },
     "spec": {
      "logLevel": "Normal",
      "managementState": "Managed"
     }
    },
    {
     "apiVersion": "operator.openshift.io/v1alpha1",
     "kind": "IstioCSR",
     "metadata": {
      "annotations": {
       "kubernetes.io/description": "Creating this resource requires the istio-csr tech-preview feature to be enabled, which otherwise has no effect. Please refer to the cert-manager documentation for more information on enabling the istio-csr feature. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process"
      },
      "name": "default",
      "namespace": "istio-csr"
     },
     "spec": {
      "istioCSRConfig": {
       "certManager": {
        "issuerRef": {
         "group": "cert-manager.io",
         "kind": "Issuer",
         "name": "istio-csr-issuer"
        }
       },
       "istio": {
        "namespace": "istio-system"
       },
       "istiodTLSConfig": {
        "trustDomain": "cluster.local"
       }
      }
     }
    }
   ]
  capabilities: Seamless Upgrades
  categories: Security
  console.openshift.io/disable-operand-delete: "true"
  containerImage: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:f328263e2d29e34ede65e4501f0447b2d9f84e9445a365c2fa2fbb253939e274
  createdAt: 2025-03-13T18:26:37
  features.operators.openshift.io/cnf: "false"
  features.operators.openshift.io/cni: "false"
  features.operators.openshift.io/csi: "false"
  features.operators.openshift.io/disconnected: "false"
  features.operators.openshift.io/fips-compliant: "true"
  features.operators.openshift.io/proxy-aware: "true"
  features.operators.openshift.io/tls-profiles: "false"
  features.operators.openshift.io/token-auth-aws: "true"
  features.operators.openshift.io/token-auth-azure: "true"
  features.operators.openshift.io/token-auth-gcp: "true"
  olm.operatorGroup: openshift-cert-manager-operator
  olm.operatorNamespace: cert-manager-operator
  olm.skipRange: '>=1.15.0 <1.15.1'
  operator.openshift.io/uninstall-message: The cert-manager Operator for Red Hat
   OpenShift will be removed from cert-manager-operator namespace. If your Operator
   configured any off-cluster resources, these will continue to run and require
   manual cleanup. All operands created by the operator will need to be manually
   cleaned up. Please refer to https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/cert-manager-operator-uninstall.html
   for additional steps.
  operatorframework.io/cluster-monitoring: "true"
  operatorframework.io/properties: '{"properties":[{"type":"olm.gvk","value":{"group":"acme.cert-manager.io","kind":"Challenge","version":"v1"}},{"type":"olm.gvk","value":{"group":"acme.cert-manager.io","kind":"Order","version":"v1"}},{"type":"olm.gvk","value":{"group":"cert-manager.io","kind":"Certificate","version":"v1"}},{"type":"olm.gvk","value":{"group":"cert-manager.io","kind":"CertificateRequest","version":"v1"}},{"type":"olm.gvk","value":{"group":"cert-manager.io","kind":"ClusterIssuer","version":"v1"}},{"type":"olm.gvk","value":{"group":"cert-manager.io","kind":"Issuer","version":"v1"}},{"type":"olm.gvk","value":{"group":"operator.openshift.io","kind":"CertManager","version":"v1alpha1"}},{"type":"olm.gvk","value":{"group":"operator.openshift.io","kind":"IstioCSR","version":"v1alpha1"}},{"type":"olm.package","value":{"packageName":"openshift-cert-manager-operator","version":"1.15.1"}}]}'
  operatorframework.io/suggested-namespace: cert-manager-operator
  operators.openshift.io/infrastructure-features: '["proxy-aware"]'
  operators.openshift.io/valid-subscription: '["OpenShift Kubernetes Engine", "OpenShift
   Container Platform", "OpenShift Platform Plus"]'
  operators.operatorframework.io/builder: operator-sdk-v1.25.1
  operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
  repository: https://github.com/openshift/cert-manager-operator
  support: Red Hat, Inc.
 creationTimestamp: "2025-04-06T22:10:47Z"
 generation: 1
 labels:
  olm.copiedFrom: cert-manager-operator
  olm.managed: "true"
  operatorframework.io/arch.amd64: supported
  operatorframework.io/arch.arm64: supported
  operatorframework.io/arch.ppc64le: supported
  operatorframework.io/arch.s390x: supported
  operatorframework.io/os.linux: supported
 name: cert-manager-operator.v1.15.1
 namespace: cpd-ops
 resourceVersion: "86876"
 uid: 8eba92b9-fad3-46b0-87e6-d80e8f0019d6
spec:
 apiservicedefinitions: {}
 cleanup:
  enabled: false
 customresourcedefinitions:
  owned:
  - kind: CertificateRequest
   name: certificaterequests.cert-manager.io
   version: v1
  - kind: Certificate
   name: certificates.cert-manager.io
   version: v1
  - description: CertManager is the Schema for the certmanagers API
   displayName: CertManager
   kind: CertManager
   name: certmanagers.operator.openshift.io
   version: v1alpha1
  - kind: Challenge
   name: challenges.acme.cert-manager.io
   version: v1
  - kind: ClusterIssuer
   name: clusterissuers.cert-manager.io
   version: v1
  - kind: Issuer
   name: issuers.cert-manager.io
   version: v1
  - kind: IstioCSR
   name: istiocsrs.operator.openshift.io
   version: v1alpha1
  - kind: Order
   name: orders.acme.cert-manager.io
   version: v1
 description: |
  The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.15.5](https://github.com/cert-manager/cert-manager/tree/v1.15.2), which automates certificate management.
  For more information, see the [cert-manager Operator for Red Hat OpenShift documentation](https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html).
 displayName: cert-manager Operator for Red Hat OpenShift
 icon:
 - base64data: iVBORw0KGgoAAAANSUhEUgAAAVQAAAC1CAYAAAAA/QcmAAARRElEQVR4nO3dTWgjaWLG8cfuj2n3eKbkpqGHkNmqueSwJJH6kLlkEtVcwkII1pLLHhYkJ7AJ5OC6DCQnqZlDAlmwOqfksLgMCSTsBMuBXSZLQGXYHLJM4nKyl82lS9tZyGZMS/J0tz1utyuHXgvbbX2/Ukny/weCGUuqel1tPXq/ay6O41gAgKHNJ10AAJgVBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgYqxehqFOoqiv13/huqrPzak+N6cvXFfPPU/HQTCyMgKDmovjOE66EJhtcaOhg1JJR76vuNmUJM1Zlm4WCrrleZp3nEvfdxqmp++5aM6ydCOX081cTjdyuVEVH+gZgYqR289k9HJ3t+3zN/N53fI8XctkWj/7slzWQanUNkwvmrdt3cjlOgY0MGoEKkbqoFTS4YMHPb123rY17zg6iSKd1GoDn/N6Nqs3CgXdLBQGPgYwCAIVI3MSRWq+915i55+37Va3wlwqlVg5cHUwKIWR+dL3Ez3/Sa2mwwcP1HScV90HjUai5cHso4aKkWk6zlBNd9PmLEtveJ4WSqWki4IZRaBiJF6Gofbv30+6GJeat20tVirnBsEAE2jyYyQOy+Wki9DWSa2m/fv3dZRwlwRmDzVUjEQjlep5ylOS3qpWdd11ky4GZgQ1VBj3olKZijCVpGdMrYJBBCqMO6pUki5Cz05qNb0Mw6SLgRlBoMK4F1MUqNJ0fQFgshGoMOrsev1pwUYrMIVAhVHTWNujyQ9TGOWHMXGjocbSUtLFGMjbOzvMS8XQqKHCmGnrOz2LZj9MIFBhzLPvfjfpIgzsmGY/DKDJDyOiKNLtr35VNw4Oki7KQOZtW1YfdxIALkMNFUb4vq+DmzeTLsbATmq1vm7NAlyGQIURvu/r46OjpIsxFEb7MSwCFQM7iSIdB4H+ZW1NtVpN3zk40E/u3k26WAN7wcAUhnQ96QJg8r0MQx0HgY5/ccfS4+3tc88fvvtu67+/trenf71zR7/05Mm4izk0RvoxLAalcKmXYajDcrmnjU4+WljQd84MRlnS1IbqEh8HDIEmP845iSJ94bqv9gvd2OhpGelPLozsNyX95pMnemxZIyrl6FBLxTAIVLS8qFS0n8m81qQfRFNSutnUD+7cGb5gY0Q/KoZBoELSq5rZ069/faCNTX67w3LTbzx5om/dvq2jW7eGKd7YPPv006SLgClGoELScBstf/PatY7Pf/L8ud4/PNSPpmAGwOd7e0kXAVOMQIWOfH+ou5O+s7enD7q85qd6NQPgW7dva3+C+1bv/OxnCpmPigERqDCy5d7fWpZ6iclPnj9XutnU31iWXiwsDH1e0/7v3j0F9KNiQAQqjKwQervZ1D/02KRvSvqzZlO/cnAwccH6b8+e6cff/77iRiPpomAKEagYqrl/1vt7e/r7Pkb1zwbrRwsLarz1lpFyDOr49m19vLene599pqbj6KBUIljRFyb2Q/W5OaPH+8GdO/rGgJP6P5Dk3bun39rfH/vOVacLFD6Q9E+/+NmcZel2uayb3B0VPSBQoS9c18jc07OGCdVTvyvpj999V7/x+ee6eXhopmCX2LcsfbPZ1A/P/Oxiya9ns3rT9zXvOCMrB6YfTX6M5NYfv/PkiX58546+MsQxvifp9x4/1juHh8pK+vbSkv7jnXeMzRL437t39dHCgpwLYSpJe/funfv/4+1t7WcyU31XAoweNVToZRhq//79kRz7xcKC/mRuTp88f2782B9I+oqkD2xbbx4f69clXbvefr+f2smJHs/P63u1mn6oV3247fynbeuX2/Qtv7m+ThcALkWgQtJomv1n/ejuXX1rb08/HdkZzOrWWUGo4jI0+SFJWiiVRnr89/f29Nnt2/rzHuerJqnbIgVJerayoiPfH3VRMGWooaLlaS6nF1tbIz/PvmXp46Ojc1v+TZJP797V+z0uQeX20ziLQEVL3GhoP5MxNi+1m6dLS/q7kxP9RbPZsT9znP5wYUF/2UfQc3M/nEWTHy1zqZQWKxXNjWmt/WK9rj9qNvXfCwv65N49/dpYztpev2EqvVoUcTDi7hJMD2qoeM2R7+vZykoi5366tKR/vnZNf7W3p/8a0zktSd++e1e/P+BOU3OWpRQrqiACFW0kGaqnni4taXdxUX/9+HHXaU6DsCT9qWXpD46Ohl6Vxag/JAIVHRz5vp573kCbTo/C06UlRYuL+vejI/3jz3+uptR3LfYDvdoQ+2uLi/rVx4+Nle1mPq83GfW/8ghUdPQyDPWF605MqLbzP7bd8fnU/r4W6/WRnf9aOq232Uf1yiNQ0dVJFOlpLqeXu7tJF2WiccdUMMqPruYdR28FgW7m80kXBZhoBCp6MpdK6U3f1+Lm5timVU0TrgkkAhV9upHLyYoi3VheTrooE4XVUpAIVAzgdAHA4uam5rsMBl0VBCokAhVDuJHL6e0w1K1i8co3eW+4btJFwARglB9GnESRDkolHW1sJF2UsWOlFE5RQ4UR846jN31f1qNHV242wBuel3QRMCGooWIkrkqNdd629XYYai6VSroomAAEKkbqJIr0pe/ry3J54ldbDYL9UHEWgYqxOfJ9HZbLM7Piig1RcBGBirE7iSIdlst6UamMbTNr0whTXIZARaJeVCo6qlT0olKZii6BedvWYqVCMx+XIlAxMV6Gob70fR0HwcR1C8xZlt7wvJHfzBDTjUDFRDqJIh0HgV4EgY6DILGugXnb1s1CQbc8j5F8dEWgYiqcRJFehqGOw/BVDTYMR9ZFcC2d1nXX1RuFAk179IVAxVQ7DoJXYRtFihsNvTyzyfPx9nbb911Lp1s1zuuuq/lUStcyGV1nCSmGQKACgCEsPQUAQwhUADCEQAUAQwhUADCEQAUAQwhUADCEQAUAQwhUADCEQAUAQwhUADDketIFAM4Kw/DcIwiCpIsE9IxAHSFTYeA4jhzHMXKsSRNFkXzfVxAECsNQzQF3kIqiSFEUtX1+kGsYhqEaHW4PnclklJrALf3CMJTjOBNZtpkXY2QkGXtYlhUvLy/Hm5ubSf9aRhWLxY6/t6njFIvFvsuWzWY7HrNarfZ9TNPq9Xq8ubkZF4vFOJvNxpZlTUzZriJqqFOi2Wxqa2tLW1tbSqfT8n1fGfbqvLLCMFQul1NtSu/JNasYlJpCu7u7un//vnzfT7ooSEij0SBMJxCBOsVWVlYIVWCCEKhTzvO8joMxAMaHQJ1yzWZTJe7ECUwEBqUSVCwW2z7XaDRaczG7TSXa2NhQuVxmmgyQMAI1Qb3ULBuNhgqFgra2tjq+rlKpqFAodDxOpVJpzffcPXPf+3Q6LcdxlMvllMvljATz2XNd5LqucrnczM9SOF2YEIahoii69Msxm80qk8m0rkk7F/9WunXznM7t7eVYMCjpeVuzTF3mlvaqXq/Htm0PNM+yXq/HxWKxNT+x28OyrLhYLMb1er3v37ffc9m23XWuZ68mZR7qzs5OnM/nu/57tbse6+vrl5al32OZuKboH1d3hEz+Ya+urvYdGDs7O3E6nR7oQ2fbdryzs9Nz+XZ2dgYKEVPXKOlArVarxn7/fD7/WlkI1OnAoNSU6LcZHoahXNc917TvR61Wk+u6lzbZL/J9X/fv37/y8yJN/f4bGxsdu28wuehDnRL9zDc9DdNB18WfajabrVBttw4+CAKtrKwMdZ5xiKKo770VOq3jv8h1XWWzWW1vb/dZssudhqrrukaOhzFJuoo8y2So6ZXP57se6+wa/0Gb+e0e2Wz20nLV6/We+0sHffSqW5N/FI+LfajVatXo8ZeXl3v+WxrFNUX/qKEmqNto62mtqltT0rKs1ghxqVTq2szP5/NyXVeO47R2e+pUs9re3lalUnltFNrzvJ5qwbZtnzvfxVkGs6JdLfV0JN9xHGUyGQVBoCiKtLGx0fF4Z2d2ZLPZc881Go2O1zCdTjONLglJJ/os05hqSmcHXDrVGC3LarsL0fr6esdzXKylPnr0qGu5bNtue75qtdp10KefP89JqKHGcRxvbm62rtf6+nrH2RI7Oztda/idrt8g78NoEagjNI4PtW3brQ/t6Ye53WNtba1jedfW1jq+/9GjRz2/Np1O9zT1qlv3RK8mJVDjOD53nbrp9kVGoE4XmvxTzLIsVSqVVtOuUql0fO1pc7OdTCYjy7LaNuODIGiNPnc6l/RqEK2XJucsNkv72ch6VjcOv6oI1Cll27Yqlcq51UadVs80m019+OGHQ53z7BSqTn2uy8vLM78KqpsoilSpVFqrpC7DCP7sIVCnjGVZ8jxPnue9VrvrZc7oMHo9/lUOijAM5XleT9OnTE2xwuQgUKdMs9lUoVC4tKk87LxTUyaxdprP5/ueLO95Xl+zEXzfn4o5uRgdAjVBcRy/9rNGoyHHcTqGY6lUunSif6f+z3E6XVgwSRzH6btM/fTvVioVwhTshzppUqmUPM/r+JqNjY1LB5cmpWZ4FW/93O3fDFcDgTqBPM+TZVkdX3PZooBugfro0SPFr6bKDfQ4G5QXJ5qftbW1NfL+3EkShmHHxRf5fF7ValX1el1xHGtnZ0fValVra2uybXuMJcWoEagTqJda6vb29ms1wW5N2lwu19P69F5eM85zTbpOXx7FYlG+78t13VYXwun+p57njWza1Cxc12lEoE6oXmqpFwdZcrlcxxrP7u6uXNdtO42n0Wi0PuTdapjdBnhqtZocx2m7qUsQBMpkMjOxBLXTdLWkumG4eWMyCNQJ1UsttVarvfbB6fae3d1dvffee8rlciqXywqCQOVyWYVCQY7j6OHDh61dpjp9KB3HUT6f73iuZrOplZUVpVKpVo0sl8vJcRx9+OGHMxGmUufJ+aVSqW1tMYqikd1gcWtrS47jyPM8lUoleZ4n13UnbrBw5ox9bdYVoi5LF3vRbdNiy7JeW+JpcrepdjvIx/F07TY1yg2md3Z2Or7Otu14dXU1LhaLcbFYjFdXV3v+N2q3hLRerw90PdvtHAYzqKFOuG47UjWbTZXL5XM/q1QqXbsLerWystK2eZ9KpWha6lWzPp1Ot32+Vqvp4cOHevDggR48eKCHDx8OXTtPpVIdBwaRDAJ1whUKha4jweVy+Vyz0nEcBUFgLFQrlUrbpmkul9P6+rqR80yzi19q48DN9iYPgToFeqmlXuw7zWQyiqJo6FpMNptVFEUd+wkLhYKq1aqxAJ9GruuO/YvFdV2trq6O9ZzojECdAr3UUjc2Nl6rRaZSKQVBoPX19b7nO6bTaVWrVQVB0NOKodPZA8VisedgXV1dnalAKBQK2tzc7PlaW5al5eXloc5ZLpe1trZ2pb/MJslcHF+y/hFGdKtZ9tNkC4Kg6wqkbqO4YRjK932FYfjaPeJt224tz8zlckNN92k0Gq2dli5Ovzp7jtPA7/R79XqNuh1nkBFu3/c7jsKfzoxo994gCF67O0E2mz13DRqNRsd+6E7nOKvTNZfUumOA67oTs6JuFhGoAGAITX4AMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBD/h+fh1Gb7+ZNngAAAABJRU5ErkJggg==
  mediatype: image/png
 install:
  spec:
   clusterPermissions:
   - rules:
    - apiGroups:
     - ""
     resources:
     - configmaps
     - events
     - namespaces
     - serviceaccounts
     - services
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - ""
     resources:
     - pods
     - secrets
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - acme.cert-manager.io
     resources:
     - challenges
     - challenges/finalizers
     - challenges/status
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - acme.cert-manager.io
     resources:
     - challenges
     - challenges/finalizers
     - challenges/status
     - orders
     - orders/finalizers
     - orders/status
     verbs:
     - create
     - delete
     - deletecollection
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - admissionregistration.k8s.io
     resources:
     - mutatingwebhookconfigurations
     - validatingwebhookconfigurations
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - apiextensions.k8s.io
     resources:
     - customresourcedefinitions
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - apiregistration.k8s.io
     resources:
     - apiservices
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - apps
     resources:
     - deployments
     - replicasets
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - cert-manager.io
     resources:
     - certificaterequests
     - certificaterequests/finalizers
     - certificaterequests/status
     - certificates
     - certificates/finalizers
     - certificates/status
     - clusterissuers
     - clusterissuers/status
     - issuers
     - issuers/status
     verbs:
     - create
     - delete
     - deletecollection
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - cert-manager.io
     resourceNames:
     - clusterissuers.cert-manager.io/*
     - issuers.cert-manager.io/*
     resources:
     - signers
     verbs:
     - approve
    - apiGroups:
     - certificates.k8s.io
     resources:
     - certificatesigningrequests
     - certificatesigningrequests/status
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - certificates.k8s.io
     resources:
     - signers
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - sign
     - update
     - watch
    - apiGroups:
     - config.openshift.io
     resources:
     - certmanagers
     - clusteroperators
     - clusteroperators/status
     - infrastructures
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - coordination.k8s.io
     resources:
     - leases
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - gateway.networking.k8s.io
     resources:
     - gateways
     - gateways/finalizers
     - httproutes
     - httproutes/finalizers
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - networking.k8s.io
     resources:
     - ingresses
     - ingresses/finalizers
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - operator.openshift.io
     resources:
     - certmanagers
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - operator.openshift.io
     resources:
     - certmanagers/finalizers
     verbs:
     - update
    - apiGroups:
     - operator.openshift.io
     resources:
     - certmanagers/status
     verbs:
     - get
     - patch
     - update
    - apiGroups:
     - operator.openshift.io
     resources:
     - istiocsrs
     verbs:
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - operator.openshift.io
     resources:
     - istiocsrs/finalizers
     verbs:
     - update
    - apiGroups:
     - operator.openshift.io
     resources:
     - istiocsrs/status
     verbs:
     - get
     - patch
     - update
    - apiGroups:
     - rbac.authorization.k8s.io
     resources:
     - clusterrolebindings
     - clusterroles
     - rolebindings
     - roles
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - route.openshift.io
     resources:
     - routes
     - routes/custom-host
     verbs:
     - create
     - delete
     - get
     - list
     - patch
     - update
     - watch
    - apiGroups:
     - authentication.k8s.io
     resources:
     - tokenreviews
     verbs:
     - create
    - apiGroups:
     - authorization.k8s.io
     resources:
     - subjectaccessreviews
     verbs:
     - create
    serviceAccountName: cert-manager-operator-controller-manager
   deployments:
   - label:
     app.kubernetes.io/component: manager
     app.kubernetes.io/created-by: cert-manager-operator
     app.kubernetes.io/instance: controller-manager
     app.kubernetes.io/managed-by: kustomize
     app.kubernetes.io/name: deployment
     app.kubernetes.io/part-of: cert-manager-operator
    name: cert-manager-operator-controller-manager
    spec:
     replicas: 1
     selector:
      matchLabels:
       name: cert-manager-operator
     strategy: {}
     template:
      metadata:
       annotations:
        kubectl.kubernetes.io/default-container: cert-manager-operator
       creationTimestamp: null
       labels:
        name: cert-manager-operator
      spec:
       affinity:
        nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
          - matchExpressions:
           - key: kubernetes.io/arch
            operator: In
            values:
            - amd64
            - arm64
            - ppc64le
            - s390x
           - key: kubernetes.io/os
            operator: In
            values:
            - linux
       containers:
       - args:
        - start
        - --v=$(OPERATOR_LOG_LEVEL)
        - --trusted-ca-configmap=$(TRUSTED_CA_CONFIGMAP_NAME)
        - --cloud-credentials-secret=$(CLOUD_CREDENTIALS_SECRET_NAME)
        - --unsupported-addon-features=$(UNSUPPORTED_ADDON_FEATURES)
        command:
        - /usr/bin/cert-manager-operator
        env:
        - name: WATCH_NAMESPACE
         valueFrom:
          fieldRef:
           fieldPath: metadata.annotations['olm.targetNamespaces']
        - name: POD_NAME
         valueFrom:
          fieldRef:
           fieldPath: metadata.name
        - name: OPERATOR_NAME
         value: cert-manager-operator
        - name: RELATED_IMAGE_CERT_MANAGER_WEBHOOK
         value: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3
        - name: RELATED_IMAGE_CERT_MANAGER_CA_INJECTOR
         value: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3
        - name: RELATED_IMAGE_CERT_MANAGER_CONTROLLER
         value: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3
        - name: RELATED_IMAGE_CERT_MANAGER_ACMESOLVER
         value: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:20efff60a0caf5eafb38986fd21611697b5bc534c2e789da233983a9739938ed
        - name: RELATED_IMAGE_CERT_MANAGER_ISTIOCSR
         value: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:9573d74bd2b926ec94af76f813e6358f14c5b2f4e0eedab7c1ff1070b7279a5c
        - name: OPERAND_IMAGE_VERSION
         value: 1.15.5
        - name: ISTIOCSR_OPERAND_IMAGE_VERSION
         value: 0.14.0
        - name: OPERATOR_IMAGE_VERSION
         value: 1.15.1
        - name: OPERATOR_LOG_LEVEL
         value: "2"
        - name: TRUSTED_CA_CONFIGMAP_NAME
        - name: CLOUD_CREDENTIALS_SECRET_NAME
        - name: UNSUPPORTED_ADDON_FEATURES
        image: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:f328263e2d29e34ede65e4501f0447b2d9f84e9445a365c2fa2fbb253939e274
        imagePullPolicy: IfNotPresent
        name: cert-manager-operator
        ports:
        - containerPort: 8443
         name: https
         protocol: TCP
        resources:
         requests:
          cpu: 10m
          memory: 32Mi
        securityContext:
         allowPrivilegeEscalation: false
         capabilities:
          drop:
          - ALL
         privileged: false
         runAsNonRoot: true
         seccompProfile:
          type: RuntimeDefault
       securityContext:
        runAsNonRoot: true
        seccompProfile:
         type: RuntimeDefault
       serviceAccountName: cert-manager-operator-controller-manager
       terminationGracePeriodSeconds: 10
   permissions:
   - rules:
    - apiGroups:
     - ""
     resources:
     - configmaps
     verbs:
     - get
     - list
     - watch
     - create
     - update
     - patch
     - delete
    - apiGroups:
     - coordination.k8s.io
     resources:
     - leases
     verbs:
     - get
     - list
     - watch
     - create
     - update
     - patch
     - delete
    - apiGroups:
     - ""
     resources:
     - events
     verbs:
     - create
     - patch
    serviceAccountName: cert-manager-operator-controller-manager
  strategy: deployment
 installModes:
 - supported: true
  type: OwnNamespace
 - supported: true
  type: SingleNamespace
 - supported: false
  type: MultiNamespace
 - supported: true
  type: AllNamespaces
 keywords:
 - cert-manager
 - cert-manager-operator
 - cert
 - certificates
 - security
 - TLS
 links:
 - name: Documentation
  url: https://github.com/openshift/cert-manager-operator/blob/master/README.md
 maintainers:
 - email: support@redhat.com
  name: Red Hat Support
 maturity: stable
 minKubeVersion: 1.25.0
 provider:
  name: Red Hat
 relatedImages:
 - image: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3
  name: cert-manager-webhook
 - image: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3
  name: cert-manager-ca-injector
 - image: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3
  name: cert-manager-controller
 - image: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:20efff60a0caf5eafb38986fd21611697b5bc534c2e789da233983a9739938ed
  name: cert-manager-acmesolver
 - image: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:9573d74bd2b926ec94af76f813e6358f14c5b2f4e0eedab7c1ff1070b7279a5c
  name: cert-manager-istiocsr
 replaces: cert-manager-operator.v1.15.0
 version: 1.15.1
status:
 cleanup: {}
 conditions:
 - lastTransitionTime: "2025-04-06T22:10:41Z"
  lastUpdateTime: "2025-04-06T22:10:41Z"
  message: requirements not yet checked
  phase: Pending
  reason: RequirementsUnknown
 - lastTransitionTime: "2025-04-06T22:10:41Z"
  lastUpdateTime: "2025-04-06T22:10:41Z"
  message: one or more requirements couldn't be found
  phase: Pending
  reason: RequirementsNotMet
 - lastTransitionTime: "2025-04-06T22:10:43Z"
  lastUpdateTime: "2025-04-06T22:10:43Z"
  message: all requirements found, attempting install
  phase: InstallReady
  reason: AllRequirementsMet
 - lastTransitionTime: "2025-04-06T22:10:43Z"
  lastUpdateTime: "2025-04-06T22:10:43Z"
  message: waiting for install components to report healthy
  phase: Installing
  reason: InstallSucceeded
 - lastTransitionTime: "2025-04-06T22:10:43Z"
  lastUpdateTime: "2025-04-06T22:10:43Z"
  message: 'installing: waiting for deployment cert-manager-operator-controller-manager
   to become ready: deployment "cert-manager-operator-controller-manager" not available:
   Deployment does not have minimum availability.'
  phase: Installing
  reason: InstallWaiting
 - lastTransitionTime: "2025-04-06T22:10:55Z"
  lastUpdateTime: "2025-04-06T22:10:55Z"
  message: install strategy completed with no errors
  phase: Succeeded
  reason: InstallSucceeded
 lastTransitionTime: "2025-04-06T22:10:55Z"
 lastUpdateTime: "2025-04-06T22:10:55Z"
 message: The operator is running in cert-manager-operator but is managing this namespace
 phase: Succeeded
 reason: Copied
 requirementStatus:
 - group: operators.coreos.com
  kind: ClusterServiceVersion
  message: CSV minKubeVersion (1.25.0) less than server version (v1.31.5)
  name: cert-manager-operator.v1.15.1
  status: Present
  version: v1alpha1
 - group: apiextensions.k8s.io
  kind: CustomResourceDefinition
  message: CRD is present and Established condition is true
  name: certificaterequests.cert-manager.io
  status: Present
  uuid: e6c090e0-e789-40fb-a6bc-1a18af0102c3
  version: v1
 - group: apiextensions.k8s.io
  kind: CustomResourceDefinition
  message: CRD is present and Established condition is true
  name: certificates.cert-manager.io
  status: Present
  uuid: 84cf9fbd-1b30-42a7-ba6b-a90c4910bfab
  version: v1
 - group: apiextensions.k8s.io
  kind: CustomResourceDefinition
  message: CRD is present and Established condition is true
  name: certmanagers.operator.openshift.io
  status: Present
  uuid: 74d29fe2-17aa-4974-b2ab-7d3b58a5221f
  version: v1
 - group: apiextensions.k8s.io
  kind: CustomResourceDefinition
  message: CRD is present and Established condition is true
  name: challenges.acme.cert-manager.io
  status: Present
  uuid: 5d76cd3c-e1e7-4499-b4e7-f18e5495dd79
  version: v1
 - group: apiextensions.k8s.io
  kind: CustomResourceDefinition
  message: CRD is present and Established condition is true
  name: clusterissuers.cert-manager.io
  status: Present
  uuid: d98e3865-b83d-455e-808f-85c304325fc1
  version: v1
 - group: apiextensions.k8s.io
  kind: CustomResourceDefinition
  message: CRD is present and Established condition is true
  name: issuers.cert-manager.io
  status: Present
  uuid: 44d8db10-759f-4dd4-9b8e-351ebfa83c9c
  version: v1
 - group: apiextensions.k8s.io
  kind: CustomResourceDefinition
  message: CRD is present and Established condition is true
  name: istiocsrs.operator.openshift.io
  status: Present
  uuid: 5d8f062b-fc85-450a-af48-4b536877c434
  version: v1
 - group: apiextensions.k8s.io
  kind: CustomResourceDefinition
  message: CRD is present and Established condition is true
  name: orders.acme.cert-manager.io
  status: Present
  uuid: c3939a3d-cce0-45d9-acdc-b3c899d0ff60
  version: v1
 - dependents:
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":[""],"resources":["configmaps","events","namespaces","serviceaccounts","services"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":[""],"resources":["pods","secrets"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["acme.cert-manager.io"],"resources":["challenges","challenges/finalizers","challenges/status"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","deletecollection","get","list","patch","update","watch"],"apiGroups":["acme.cert-manager.io"],"resources":["challenges","challenges/finalizers","challenges/status","orders","orders/finalizers","orders/status"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["admissionregistration.k8s.io"],"resources":["mutatingwebhookconfigurations","validatingwebhookconfigurations"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["apiextensions.k8s.io"],"resources":["customresourcedefinitions"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["apiregistration.k8s.io"],"resources":["apiservices"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["apps"],"resources":["deployments","replicasets"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","deletecollection","get","list","patch","update","watch"],"apiGroups":["cert-manager.io"],"resources":["certificaterequests","certificaterequests/finalizers","certificaterequests/status","certificates","certificates/finalizers","certificates/status","clusterissuers","clusterissuers/status","issuers","issuers/status"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["approve"],"apiGroups":["cert-manager.io"],"resources":["signers"],"resourceNames":["clusterissuers.cert-manager.io/*","issuers.cert-manager.io/*"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["certificates.k8s.io"],"resources":["certificatesigningrequests","certificatesigningrequests/status"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","sign","update","watch"],"apiGroups":["certificates.k8s.io"],"resources":["signers"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["config.openshift.io"],"resources":["certmanagers","clusteroperators","clusteroperators/status","infrastructures"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["coordination.k8s.io"],"resources":["leases"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["gateway.networking.k8s.io"],"resources":["gateways","gateways/finalizers","httproutes","httproutes/finalizers"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["networking.k8s.io"],"resources":["ingresses","ingresses/finalizers"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["operator.openshift.io"],"resources":["certmanagers"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["update"],"apiGroups":["operator.openshift.io"],"resources":["certmanagers/finalizers"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["get","patch","update"],"apiGroups":["operator.openshift.io"],"resources":["certmanagers/status"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["get","list","patch","update","watch"],"apiGroups":["operator.openshift.io"],"resources":["istiocsrs"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["update"],"apiGroups":["operator.openshift.io"],"resources":["istiocsrs/finalizers"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["get","patch","update"],"apiGroups":["operator.openshift.io"],"resources":["istiocsrs/status"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["rbac.authorization.k8s.io"],"resources":["clusterrolebindings","clusterroles","rolebindings","roles"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["route.openshift.io"],"resources":["routes","routes/custom-host"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create"],"apiGroups":["authentication.k8s.io"],"resources":["tokenreviews"]}
   status: Satisfied
   version: v1
  - group: rbac.authorization.k8s.io
   kind: PolicyRule
   message: cluster rule:{"verbs":["create"],"apiGroups":["authorization.k8s.io"],"resources":["subjectaccessreviews"]}
   status: Satisfied
   version: v1
  group: ""
  kind: ServiceAccount
  message: ""
  name: cert-manager-operator-controller-manager
  status: Present
  version: v1// code placeholder
Â
Â
Expected result: Please remove clusterPermissions in Operator CSVs. Use just "permissions" instead. Thanks.
- account is impacted by
-
RFE-8072 CSV cert-manager-operator.v1.15.1 has cluster permissions
-
- Backlog
-
