-
Epic
-
Resolution: Obsolete
-
Major
-
None
-
None
-
RBAC Automation
-
8
-
False
-
False
-
To Do
-
OCPPLAN-7751 - Descoping Preparation
-
OCPPLAN-7751Descoping Preparation
-
0% To Do, 0% In Progress, 100% Done
-
Undefined
-
XL
Epic Goal
- Admins can control which users can use an operator or an operator feature
- Admins can control whether an operator has permission to run or provide a feature
Why is this important?
- The existing RBAC automation in OLM is often cited as a reason why operator authors avoid "AllNamespace" operators - they don't want the operator's roles and rolebindings to be elevated to ClusterRoles and ClusterRoleBindings. AllNamespace operators are the simplest to treat as "descoped", so if we can solve the rbac automation problem today, we can avoid migration pain in the future.
Scenarios
- Admins can control which users can use an operator or an operator feature
- Admins can control whether an operator has permission to run or provide a feature
- Allow opting out of OLM's default RBAC automation, so that the above controls can be used instead
- The source scope of this control is either a particular operator or a group of operators
- The target scope of this control is either an individual user, a user group or a role in a namespace
Examples from SRE-personas:
- ROSA/OSD customers cannot use APIs for SREP operators unless explicitly granted to the "dedicated-admins" Group
- ROSA/OSD customers (members of "dedicated-admins" Group) can use APIs for any operator they customer installs without SRE involvement
Out-of-scope / Potential for follow-up
- Authors can define RBAC that a user would need to use an operator or a feature of an operator (including RBAC on sub-resources, e.g. scale)
- Authors can define RBAC that the operator needs to run or provide a feature
- Authors can suggest default permissions for users and default permissions for itself
- If authors didn't specify any specific RBAC users require to use a certain operator features, OLM synthesizes sane default RBAC per CRD that the operator owns
- Streamlining OLM's default RBAC automation around the Subscription API (no create / patch / update verb) so that it easier for non-cluster-admins to discover that they are not allowed to install Operators
Acceptance Criteria
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
Related Work:
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
- incorporates
-
RFE-1590 Support scaling CRD resources
- Accepted
- is incorporated by
-
OCPSTRAT-393 OLM v1: Extension permissions management (F13)
- New
- is related to
-
OPECO-1900 Operator RBAC scoping and multi-tenancy for descoped Operators (upstream)
- Closed