When installing cert-manager-operator 1.15.0 (registry.redhat.io/cert-manager/cert-manager-operator-bundle@sha256:9a212e5a65ec7a71b4462539902515cfeecf5b02fd8a3f3beaaa6c5ecfc49ec2), operator-controller fails unpacking the bundle contents due to the operator-controller user's lack of permission to setxattr properties that are present on files in the imamge.

4.18.0    

100%    

$ cat <<'EOF' | kubectl delete -f -
---
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager-operator
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: cert-manager-operator-installer
  namespace: cert-manager-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-operator-installer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: cert-manager-operator-installer
  namespace: cert-manager-operator
---
apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: cert-manager-operator
spec:
  namespace: cert-manager-operator
  serviceAccount:
    name: cert-manager-operator-installer
  source:
    catalog:
      channels:
      - stable-v1
      packageName: openshift-cert-manager-operator
      upgradeConstraintPolicy: CatalogProvided
      version: 1.15.0
    sourceType: Catalog
EOF     

error unpacking image: error applying layer[0]: failed to setxattr "/var/cache/unpack/cert-manager-operator/sha256:9a212e5a65ec7a71b4462539902515cfeecf5b02fd8a3f3beaaa6c5ecfc49ec2/usr/bin/newgidmap" for key "security.capability": operation not permitted for resolved bundle "cert-manager-operator.v1.15.0" with version "1.15.0"'       

The bundle unpacks successfully (and likely proceeds successfully through installation)