-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
Permission validation pre-flight
-
Upstream
-
24
-
False
-
None
-
False
-
Not Selected
-
In Progress
-
OCPSTRAT-1583 - [Tech Preview] OLM v1: Create a ServiceAccount with necessary permissions for managing cluster content lifecycle
-
OCPSTRAT-1583[Tech Preview] OLM v1: Create a ServiceAccount with necessary permissions for managing cluster content lifecycle
-
55% To Do, 18% In Progress, 27% Done
From the WIP brief:
We propose adding a preflight check to OLMv1 that verifies whether the provided ServiceAccount for a ClusterExtension has all required permissions for managing extension content. If permissions are missing, the preflight check will output a clear and actionable list of deficiencies, reducing installation failures and allowing users to resolve issues proactively
See https://docs.google.com/document/d/1W7ThVE7yAd43IW1KETAB9x8pQqIRu7Dqs7jZi5QjQaM for in-depth summary
We've identified the following separable tasks:
Feature Gate Implementation
• implement feature-gate, setup conditional we can use everywhere
Preflight Framework Updates
• make a space for this preflight to be called and make sure it shares calling pattern with the existing CRDUpgradeSafety preflight
Helm Dry-Run Handling
• fast fail Get check for helm dry run ability to run
• process Helm dry-run results, probably just get as []error
Permission Verification
• do the doc Step 1 permission verification as well as escalate/bind checking
Permissions and Validation Checks
• SelfSubjectRulesReview runner
Testing
• unit test suites for each of the above
• two (2) new e2e for this work: happy path and common failure path
