Epic Goal

• Use an aggregated cluster role for the default role for the controller instead of the current hard-coded role that is created in the namespace by the operator

See this description of aggregated cluster roles, for details on this K8s feature: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

Why is this important?

• The current default role is hard-coded with a specific set of permissions managed by the GitOps product team. This role is operator managed and cannot be modified by the customer since changes will be reverted by the Operator
• Using an aggregated cluster role enables customers to easily add their own permissions without having to define a completely new role from scratch using the CONTROLLER_CLUSTER_ROLE environment variable
• The aggregated role can inherit the permissions from the default admin ClusterRole in OpenShift which removes the onus on the GitOps team to manage the list of permissions.

Scenarios

1. Customer has deployed a new CRD and needs to add permissions to the controller to work with that CRD

Acceptance Criteria (Mandatory)

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.

Dependencies (internal and external)

This is potentially a breaking change

Previous Work (Optional):

Recommended ClusterRole is based on the following which I have been testing successfully for a few weeks now in a lab environment.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata: 
  annotations: 
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: gitops-controller
aggregationRule: 
  clusterRoleSelectors: 
  - matchLabels: 
      gitops/aggregate-to-controller: "true"
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata: 
  name: gitops-controller-admin
  labels: 
    gitops/aggregate-to-controller: "true"
aggregationRule: 
  clusterRoleSelectors: 
  - matchLabels: 
      rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata: 
  name: gitops-controller-view
  labels: 
    gitops/aggregate-to-controller: "true"
rules: 
- apiGroups: 
  - '*'
  resources: 
  - '*'
  verbs: 
  - get
  - list
  - watch

Done Checklist

• Acceptance criteria are met
• Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
• User Journey automation is delivered
• Support and SRE teams are provided with enough skills to support the feature in production environment