Uploaded image for project: 'Operator Runtime'
  1. Operator Runtime
  2. OPRUN-1786

Operations permissions introspection and approval

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Obsolete
    • Icon: Major Major
    • None
    • None
    • Operator permissions introspection
    • To Do
    • OCPPLAN-7733 - Operator API
    • OCPPLAN-7733Operator API

      AKA Android-Style Permissions

      Customer Problem: Operators usually have elevated permissions that exceed what a regular tenant can do. On top of that those permissions might change between Operator versions. Cluster administrators need to have a way to introspect those permissions upfront with a chance to approve permissions. They also need to be notified when those permissions are changing during an update so they have a chance re-approve. This process is not relevant in environments that are controlled via external automation.

      Goal: Administrators are able to review all RBAC and permission related objects that will be applied to a cluster before and after they are installed the first time, and should be required to re-review any updates that change substantially (i.e. request more permission than has been approved).

       

      Pre-requisites:

      •  ability to ship SCC manifest in the Operator bundle in OLM-1781

       

      Acceptance criteria:

      • administrators can review the required RBAC and SCC permissions before the Operator gets installed
      • administrator can review the RBAC and SCCs an Operator has been given at any time
      • administrators are alerted about RBAC and SCC permissions increase during updates before the update gets installed and need to approve those
      • administrators are able to provide a force option to acknowledge the RBAC/SCC review for scripted / GitOps installs
      • force install also affects update policy - operators are installed right away even if update strategy is set to manual

              krizza@redhat.com Kevin Rizza
              DanielMesser Daniel Messer
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: