Note: It is possible that we'll remove this FeatureGate. Therefore, we should ensure with Team Lead that this FG will stay and eventually be turned on before working on this issues.

The Helm applier currently supports the [PreflightPermissions feature gate, which checks the service account's permissions against the permissions required for OLM to manage the bundle being lifecycled. In order to get Boxcutter to TechPreview, we'll need to add support for this feature gate in order for the downstream OTE tests to pass. 

We should write an RFC to describe how we'll add PreflightPermission Support to the Boxcutter applier.

Likely changes/Open Questions:

• If the ClusterExtension configured service account is used for the creation of the ClusterExtensionRevision resources, the service account will need to have the RBAC necessary to do that. If we want to be very tight/restrictive in the scoping of this service account, this means that it should only be able to manage named revision resources (<clusterextensionname>-<rev#>). This also means that any time a new revision is created, the service account will need to be updated to allow for the new revision. We need to understand how we want to handle this:
    - use admin client to manage ClusterExtensionRevision resources
    - user can add the RBAC rule to allow the management of any ClusterExtentensionRevision resource
   - user must update the service account for every new revision
  This could be solved by simply expecting that the service account can manage the particular revision being created, and the user can decide the level of restrictiveness (e.g. the requirement to create clusterextension ext-rev-1 can be met with allow create '*' as much as allow create 'ext-rev-1'