Uploaded image for project: 'Operator Runtime'
  1. Operator Runtime
  2. OPRUN-3283

ClusterExtension uses service account provided in spec to manage content

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • ClusterExtension uses service account provided in spec to manage content
    • Upstream
    • 17
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-1597 - [Tech Preview/phase 4] Next-gen OLM (OLM v1)
    • OCPSTRAT-1597[Tech Preview/phase 4] Next-gen OLM (OLM v1)
    • 0% To Do, 0% In Progress, 100% Done

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal

      • OLM v0 had full cluster admin permissions to allow install of any arbitrary package on the cluster. This has the consequence that if a user has permission to add a catalog to a cluster and create a subscription to a package in that catalog, then any user has the ability to escalate permissions on the cluster. In order to mitigate that escalation path, we restrict installation to be limited to cluster admins who can add catalogs to a cluster. In OLM v1, we want to enable a simpler UX that allows users to more broadly apply whatever content that they want, but a consequence of that is that we will now require that user to explicitly have permissions to apply the resources included in the operator bundle. To accomplish this in this epic, OLM v1 will be updated to not have any create or update permissions, and will instead require a service account to be provided for each installation.

      Why is this important?

      Scenarios

      1. ...

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. Upstream parent issue: https://github.com/operator-framework/operator-controller/issues/737 
      2. Upstream Brief: https://docs.google.com/document/d/1hYgVF8aj5QPewV-WbGchsBX4BBH2G7te0qF_z7vuK-Q/edit?usp=sharing 
      3. Upstream RFC: https://docs.google.com/document/d/1LcjggSjrad12i4F9reeCW6tawPCbuAEww0yWcoUlsD4/edit?usp=sharing 

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              rh-ee-bpalmer Bryce Palmer
              krizza@redhat.com Kevin Rizza
              Kui Wang Kui Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: