-
Feature Request
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Ref:Â https://github.ibm.com/PrivateCloud-analytics/CPD-Quality/issues/44029
Problem Description:
There is non compliance found in cert-manager Operator for Red Hat OpenShift.Â
cpd_nc_sh_026_csv_clusterPermissions_present
CSV:Â cert-manager-operator.v1.15.1Â - we are using this in CPD.
ClusterPermissions give operators cluster-wide access, which violates CPD’s requirement for namespace-scoped RBAC.
This poses a security risk by enabling potential privilege escalation for tenant admins through service account tokens. So, we need the clusterpermissions removed from CSV's.
CSV info:
apiVersion: operators.coreos.com/v1alpha1 kind: ClusterServiceVersion metadata:  annotations:   alm-examples: |-    [     {      "apiVersion": "acme.cert-manager.io/v1",      "kind": "Challenge",      "metadata": {       "name": "tls-cert-sample",       "namespace": "default"      },      "spec": {       "authorizationURL": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/XXXXX",       "dnsName": "sample.dns.name",       "issuerRef": {        "kind": "Issuer",        "name": "letsencrypt-staging"       },       "key": "XXX",       "solver": {        "dns01": {         "route53": {          "accessKeyID": "XXX",          "hostedZoneID": "XXX",          "region": "us-east-1",          "secretAccessKeySecretRef": {           "key": "awsSecretAccessKey",           "name": "aws-secret"          }         }        },        "selector": {         "dnsNames": [          "sample.dns.name"         ]        }       },       "token": "XXX",       "type": "DNS-01",       "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/XXXXXX/XXXXX",       "wildcard": false      }     },     {      "apiVersion": "acme.cert-manager.io/v1",      "kind": "Order",      "metadata": {       "annotations": {        "cert-manager.io/certificate-name": "tls-cert",        "cert-manager.io/certificate-revision": "1",        "cert-manager.io/private-key-secret-name": "tls-cert-sample"       },       "name": "tls-cert-sample",       "namespace": "default"      },      "spec": {       "commonName": "sample.dns.name",       "dnsNames": [        "sample.dns.name"       ],       "issuerRef": {        "kind": "Issuer",        "name": "letsencrypt-staging"       },       "request": "XXX"      }     },     {      "apiVersion": "cert-manager.io/v1",      "kind": "Certificate",      "metadata": {       "name": "selfsigned-ca",       "namespace": "default"      },      "spec": {       "commonName": "selfsigned-ca.dns.name",       "isCA": true,       "issuerRef": {        "group": "cert-manager.io",        "kind": "ClusterIssuer",        "name": "selfsigned-issuer"       },       "privateKey": {        "algorithm": "ECDSA",        "size": 256       },       "secretName": "ca-root-secret"      }     },     {      "apiVersion": "cert-manager.io/v1",      "kind": "Certificate",      "metadata": {       "name": "tls-cert",       "namespace": "default"      },      "spec": {       "commonName": "sample.dns.name",       "dnsNames": [        "sample.dns.name"       ],       "isCA": false,       "issuerRef": {        "kind": "Issuer",        "name": "letsencrypt-staging"       },       "secretName": "tls-cert"      }     },     {      "apiVersion": "cert-manager.io/v1",      "kind": "CertificateRequest",      "metadata": {       "annotations": {        "cert-manager.io/certificate-name": "tls-cert",        "cert-manager.io/certificate-revision": "1",        "cert-manager.io/private-key-secret-name": "tls-cert-sample"       },       "name": "tls-cert-sample",       "namespace": "default"      },      "spec": {       "groups": [        "system:serviceaccounts",        "system:serviceaccounts:cert-manager",        "system:authenticated"       ],       "issuerRef": {        "kind": "Issuer",        "name": "letsencrypt-staging"       },       "request": "XXX",       "username": "system:serviceaccount:cert-manager:cert-manager"      }     },     {      "apiVersion": "cert-manager.io/v1",      "kind": "ClusterIssuer",      "metadata": {       "name": "selfsigned-issuer"      },      "spec": {       "selfSigned": {}      }     },     {      "apiVersion": "cert-manager.io/v1",      "kind": "Issuer",      "metadata": {       "name": "ca-issuer",       "namespace": "default"      },      "spec": {       "ca": {        "secretName": "ca-root-secret"       }      }     },     {      "apiVersion": "cert-manager.io/v1",      "kind": "Issuer",      "metadata": {       "name": "letsencrypt-staging",       "namespace": "default"      },      "spec": {       "acme": {        "email": "aos-ci-cd@redhat.com",        "privateKeySecretRef": {         "name": "letsencrypt-staging"        },        "server": "https://acme-staging-v02.api.letsencrypt.org/directory",        "solvers": [         {          "dns01": {           "route53": {            "accessKeyID": "ACCESS_KEY_ID",            "hostedZoneID": "HOSTED_ZONE_ID",            "region": "AWS_REGION",            "secretAccessKeySecretRef": {             "key": "access-key",             "name": "sample-aws-secret"            }           }          },          "selector": {           "dnsNames": [            "sample.dns.name"           ]          }         }        ]       }      }     },     {      "apiVersion": "operator.openshift.io/v1alpha1",      "kind": "CertManager",      "metadata": {       "name": "cluster"      },      "spec": {       "logLevel": "Normal",       "managementState": "Managed"      }     },     {      "apiVersion": "operator.openshift.io/v1alpha1",      "kind": "IstioCSR",      "metadata": {       "annotations": {        "kubernetes.io/description": "Creating this resource requires the istio-csr tech-preview feature to be enabled, which otherwise has no effect. Please refer to the cert-manager documentation for more information on enabling the istio-csr feature. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process"       },       "name": "default",       "namespace": "istio-csr"      },      "spec": {       "istioCSRConfig": {        "certManager": {         "issuerRef": {          "group": "cert-manager.io",          "kind": "Issuer",          "name": "istio-csr-issuer"         }        },        "istio": {         "namespace": "istio-system"        },        "istiodTLSConfig": {         "trustDomain": "cluster.local"        }       }      }     }    ]   capabilities: Seamless Upgrades   categories: Security   console.openshift.io/disable-operand-delete: "true"   containerImage: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:f328263e2d29e34ede65e4501f0447b2d9f84e9445a365c2fa2fbb253939e274   createdAt: 2025-03-13T18:26:37   features.operators.openshift.io/cnf: "false"   features.operators.openshift.io/cni: "false"   features.operators.openshift.io/csi: "false"   features.operators.openshift.io/disconnected: "false"   features.operators.openshift.io/fips-compliant: "true"   features.operators.openshift.io/proxy-aware: "true"   features.operators.openshift.io/tls-profiles: "false"   features.operators.openshift.io/token-auth-aws: "true"   features.operators.openshift.io/token-auth-azure: "true"   features.operators.openshift.io/token-auth-gcp: "true"   olm.operatorGroup: openshift-cert-manager-operator   olm.operatorNamespace: cert-manager-operator   olm.skipRange: '>=1.15.0 <1.15.1'   operator.openshift.io/uninstall-message: The cert-manager Operator for Red Hat    OpenShift will be removed from cert-manager-operator namespace. If your Operator    configured any off-cluster resources, these will continue to run and require    manual cleanup. All operands created by the operator will need to be manually    cleaned up. Please refer to https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/cert-manager-operator-uninstall.html    for additional steps.   operatorframework.io/cluster-monitoring: "true"   operatorframework.io/properties: '{"properties":[{"type":"olm.gvk","value":{"group":"acme.cert-manager.io","kind":"Challenge","version":"v1"}},{"type":"olm.gvk","value":{"group":"acme.cert-manager.io","kind":"Order","version":"v1"}},{"type":"olm.gvk","value":{"group":"cert-manager.io","kind":"Certificate","version":"v1"}},{"type":"olm.gvk","value":{"group":"cert-manager.io","kind":"CertificateRequest","version":"v1"}},{"type":"olm.gvk","value":{"group":"cert-manager.io","kind":"ClusterIssuer","version":"v1"}},{"type":"olm.gvk","value":{"group":"cert-manager.io","kind":"Issuer","version":"v1"}},{"type":"olm.gvk","value":{"group":"operator.openshift.io","kind":"CertManager","version":"v1alpha1"}},{"type":"olm.gvk","value":{"group":"operator.openshift.io","kind":"IstioCSR","version":"v1alpha1"}},{"type":"olm.package","value":{"packageName":"openshift-cert-manager-operator","version":"1.15.1"}}]}'   operatorframework.io/suggested-namespace: cert-manager-operator   operators.openshift.io/infrastructure-features: '["proxy-aware"]'   operators.openshift.io/valid-subscription: '["OpenShift Kubernetes Engine", "OpenShift    Container Platform", "OpenShift Platform Plus"]'   operators.operatorframework.io/builder: operator-sdk-v1.25.1   operators.operatorframework.io/project_layout: go.kubebuilder.io/v3   repository: https://github.com/openshift/cert-manager-operator   support: Red Hat, Inc.  creationTimestamp: "2025-04-06T22:10:47Z"  generation: 1  labels:   olm.copiedFrom: cert-manager-operator   olm.managed: "true"   operatorframework.io/arch.amd64: supported   operatorframework.io/arch.arm64: supported   operatorframework.io/arch.ppc64le: supported   operatorframework.io/arch.s390x: supported   operatorframework.io/os.linux: supported  name: cert-manager-operator.v1.15.1  namespace: cpd-ops  resourceVersion: "86876"  uid: 8eba92b9-fad3-46b0-87e6-d80e8f0019d6 spec:  apiservicedefinitions: {}  cleanup:   enabled: false  customresourcedefinitions:   owned:   - kind: CertificateRequest    name: certificaterequests.cert-manager.io    version: v1   - kind: Certificate    name: certificates.cert-manager.io    version: v1   - description: CertManager is the Schema for the certmanagers API    displayName: CertManager    kind: CertManager    name: certmanagers.operator.openshift.io    version: v1alpha1   - kind: Challenge    name: challenges.acme.cert-manager.io    version: v1   - kind: ClusterIssuer    name: clusterissuers.cert-manager.io    version: v1   - kind: Issuer    name: issuers.cert-manager.io    version: v1   - kind: IstioCSR    name: istiocsrs.operator.openshift.io    version: v1alpha1   - kind: Order    name: orders.acme.cert-manager.io    version: v1  description: |   The cert-manager Operator for Red Hat OpenShift provides seamless support for [cert-manager v1.15.5](https://github.com/cert-manager/cert-manager/tree/v1.15.2), which automates certificate management.   For more information, see the [cert-manager Operator for Red Hat OpenShift documentation](https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html).  displayName: cert-manager Operator for Red Hat OpenShift  icon:  - base64data: iVBORw0KGgoAAAANSUhEUgAAAVQAAAC1CAYAAAAA/QcmAAARRElEQVR4nO3dTWgjaWLG8cfuj2n3eKbkpqGHkNmqueSwJJH6kLlkEtVcwkII1pLLHhYkJ7AJ5OC6DCQnqZlDAlmwOqfksLgMCSTsBMuBXSZLQGXYHLJM4nKyl82lS9tZyGZMS/J0tz1utyuHXgvbbX2/Ukny/weCGUuqel1tPXq/ay6O41gAgKHNJ10AAJgVBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgAoAhBCoAGEKgYqxehqFOoqiv13/huqrPzak+N6cvXFfPPU/HQTCyMgKDmovjOE66EJhtcaOhg1JJR76vuNmUJM1Zlm4WCrrleZp3nEvfdxqmp++5aM6ydCOX081cTjdyuVEVH+gZgYqR289k9HJ3t+3zN/N53fI8XctkWj/7slzWQanUNkwvmrdt3cjlOgY0MGoEKkbqoFTS4YMHPb123rY17zg6iSKd1GoDn/N6Nqs3CgXdLBQGPgYwCAIVI3MSRWq+915i55+37Va3wlwqlVg5cHUwKIWR+dL3Ez3/Sa2mwwcP1HScV90HjUai5cHso4aKkWk6zlBNd9PmLEtveJ4WSqWki4IZRaBiJF6Gofbv30+6GJeat20tVirnBsEAE2jyYyQOy+Wki9DWSa2m/fv3dZRwlwRmDzVUjEQjlep5ylOS3qpWdd11ky4GZgQ1VBj3olKZijCVpGdMrYJBBCqMO6pUki5Cz05qNb0Mw6SLgRlBoMK4F1MUqNJ0fQFgshGoMOrsev1pwUYrMIVAhVHTWNujyQ9TGOWHMXGjocbSUtLFGMjbOzvMS8XQqKHCmGnrOz2LZj9MIFBhzLPvfjfpIgzsmGY/DKDJDyOiKNLtr35VNw4Oki7KQOZtW1YfdxIALkMNFUb4vq+DmzeTLsbATmq1vm7NAlyGQIURvu/r46OjpIsxFEb7MSwCFQM7iSIdB4H+ZW1NtVpN3zk40E/u3k26WAN7wcAUhnQ96QJg8r0MQx0HgY5/ccfS4+3tc88fvvtu67+/trenf71zR7/05Mm4izk0RvoxLAalcKmXYajDcrmnjU4+WljQd84MRlnS1IbqEh8HDIEmP845iSJ94bqv9gvd2OhpGelPLozsNyX95pMnemxZIyrl6FBLxTAIVLS8qFS0n8m81qQfRFNSutnUD+7cGb5gY0Q/KoZBoELSq5rZ069/faCNTX67w3LTbzx5om/dvq2jW7eGKd7YPPv006SLgClGoELScBstf/PatY7Pf/L8ud4/PNSPpmAGwOd7e0kXAVOMQIWOfH+ou5O+s7enD7q85qd6NQPgW7dva3+C+1bv/OxnCpmPigERqDCy5d7fWpZ6iclPnj9XutnU31iWXiwsDH1e0/7v3j0F9KNiQAQqjKwQervZ1D/02KRvSvqzZlO/cnAwccH6b8+e6cff/77iRiPpomAKEagYqrl/1vt7e/r7Pkb1zwbrRwsLarz1lpFyDOr49m19vLene599pqbj6KBUIljRFyb2Q/W5OaPH+8GdO/rGgJP6P5Dk3bun39rfH/vOVacLFD6Q9E+/+NmcZel2uayb3B0VPSBQoS9c18jc07OGCdVTvyvpj999V7/x+ee6eXhopmCX2LcsfbPZ1A/P/Oxiya9ns3rT9zXvOCMrB6YfTX6M5NYfv/PkiX58546+MsQxvifp9x4/1juHh8pK+vbSkv7jnXeMzRL437t39dHCgpwLYSpJe/funfv/4+1t7WcyU31XAoweNVToZRhq//79kRz7xcKC/mRuTp88f2782B9I+oqkD2xbbx4f69clXbvefr+f2smJHs/P63u1mn6oV3247fynbeuX2/Qtv7m+ThcALkWgQtJomv1n/ejuXX1rb08/HdkZzOrWWUGo4jI0+SFJWiiVRnr89/f29Nnt2/rzHuerJqnbIgVJerayoiPfH3VRMGWooaLlaS6nF1tbIz/PvmXp46Ojc1v+TZJP797V+z0uQeX20ziLQEVL3GhoP5MxNi+1m6dLS/q7kxP9RbPZsT9znP5wYUF/2UfQc3M/nEWTHy1zqZQWKxXNjWmt/WK9rj9qNvXfCwv65N49/dpYztpev2EqvVoUcTDi7hJMD2qoeM2R7+vZykoi5366tKR/vnZNf7W3p/8a0zktSd++e1e/P+BOU3OWpRQrqiACFW0kGaqnni4taXdxUX/9+HHXaU6DsCT9qWXpD46Ohl6Vxag/JAIVHRz5vp573kCbTo/C06UlRYuL+vejI/3jz3+uptR3LfYDvdoQ+2uLi/rVx4+Nle1mPq83GfW/8ghUdPQyDPWF605MqLbzP7bd8fnU/r4W6/WRnf9aOq232Uf1yiNQ0dVJFOlpLqeXu7tJF2WiccdUMMqPruYdR28FgW7m80kXBZhoBCp6MpdK6U3f1+Lm5timVU0TrgkkAhV9upHLyYoi3VheTrooE4XVUpAIVAzgdAHA4uam5rsMBl0VBCokAhVDuJHL6e0w1K1i8co3eW+4btJFwARglB9GnESRDkolHW1sJF2UsWOlFE5RQ4UR846jN31f1qNHV242wBuel3QRMCGooWIkrkqNdd629XYYai6VSroomAAEKkbqJIr0pe/ry3J54ldbDYL9UHEWgYqxOfJ9HZbLM7Piig1RcBGBirE7iSIdlst6UamMbTNr0whTXIZARaJeVCo6qlT0olKZii6BedvWYqVCMx+XIlAxMV6Gob70fR0HwcR1C8xZlt7wvJHfzBDTjUDFRDqJIh0HgV4EgY6DILGugXnb1s1CQbc8j5F8dEWgYiqcRJFehqGOw/BVDTYMR9ZFcC2d1nXX1RuFAk179IVAxVQ7DoJXYRtFihsNvTyzyfPx9nbb911Lp1s1zuuuq/lUStcyGV1nCSmGQKACgCEsPQUAQwhUADCEQAUAQwhUADCEQAUAQwhUADCEQAUAQwhUADCEQAUAQwhUADDketIFAM4Kw/DcIwiCpIsE9IxAHSFTYeA4jhzHMXKsSRNFkXzfVxAECsNQzQF3kIqiSFEUtX1+kGsYhqEaHW4PnclklJrALf3CMJTjOBNZtpkXY2QkGXtYlhUvLy/Hm5ubSf9aRhWLxY6/t6njFIvFvsuWzWY7HrNarfZ9TNPq9Xq8ubkZF4vFOJvNxpZlTUzZriJqqFOi2Wxqa2tLW1tbSqfT8n1fGfbqvLLCMFQul1NtSu/JNasYlJpCu7u7un//vnzfT7ooSEij0SBMJxCBOsVWVlYIVWCCEKhTzvO8joMxAMaHQJ1yzWZTJe7ECUwEBqUSVCwW2z7XaDRaczG7TSXa2NhQuVxmmgyQMAI1Qb3ULBuNhgqFgra2tjq+rlKpqFAodDxOpVJpzffcPXPf+3Q6LcdxlMvllMvljATz2XNd5LqucrnczM9SOF2YEIahoii69Msxm80qk8m0rkk7F/9WunXznM7t7eVYMCjpeVuzTF3mlvaqXq/Htm0PNM+yXq/HxWKxNT+x28OyrLhYLMb1er3v37ffc9m23XWuZ68mZR7qzs5OnM/nu/57tbse6+vrl5al32OZuKboH1d3hEz+Ya+urvYdGDs7O3E6nR7oQ2fbdryzs9Nz+XZ2dgYKEVPXKOlArVarxn7/fD7/WlkI1OnAoNSU6LcZHoahXNc917TvR61Wk+u6lzbZL/J9X/fv37/y8yJN/f4bGxsdu28wuehDnRL9zDc9DdNB18WfajabrVBttw4+CAKtrKwMdZ5xiKKo770VOq3jv8h1XWWzWW1vb/dZssudhqrrukaOhzFJuoo8y2So6ZXP57se6+wa/0Gb+e0e2Wz20nLV6/We+0sHffSqW5N/FI+LfajVatXo8ZeXl3v+WxrFNUX/qKEmqNto62mtqltT0rKs1ghxqVTq2szP5/NyXVeO47R2e+pUs9re3lalUnltFNrzvJ5qwbZtnzvfxVkGs6JdLfV0JN9xHGUyGQVBoCiKtLGx0fF4Z2d2ZLPZc881Go2O1zCdTjONLglJJ/os05hqSmcHXDrVGC3LarsL0fr6esdzXKylPnr0qGu5bNtue75qtdp10KefP89JqKHGcRxvbm62rtf6+nrH2RI7Oztda/idrt8g78NoEagjNI4PtW3brQ/t6Ye53WNtba1jedfW1jq+/9GjRz2/Np1O9zT1qlv3RK8mJVDjOD53nbrp9kVGoE4XmvxTzLIsVSqVVtOuUql0fO1pc7OdTCYjy7LaNuODIGiNPnc6l/RqEK2XJucsNkv72ch6VjcOv6oI1Cll27Yqlcq51UadVs80m019+OGHQ53z7BSqTn2uy8vLM78KqpsoilSpVFqrpC7DCP7sIVCnjGVZ8jxPnue9VrvrZc7oMHo9/lUOijAM5XleT9OnTE2xwuQgUKdMs9lUoVC4tKk87LxTUyaxdprP5/ueLO95Xl+zEXzfn4o5uRgdAjVBcRy/9rNGoyHHcTqGY6lUunSif6f+z3E6XVgwSRzH6btM/fTvVioVwhTshzppUqmUPM/r+JqNjY1LB5cmpWZ4FW/93O3fDFcDgTqBPM+TZVkdX3PZooBugfro0SPFr6bKDfQ4G5QXJ5qftbW1NfL+3EkShmHHxRf5fF7ValX1el1xHGtnZ0fValVra2uybXuMJcWoEagTqJda6vb29ms1wW5N2lwu19P69F5eM85zTbpOXx7FYlG+78t13VYXwun+p57njWza1Cxc12lEoE6oXmqpFwdZcrlcxxrP7u6uXNdtO42n0Wi0PuTdapjdBnhqtZocx2m7qUsQBMpkMjOxBLXTdLWkumG4eWMyCNQJ1UsttVarvfbB6fae3d1dvffee8rlciqXywqCQOVyWYVCQY7j6OHDh61dpjp9KB3HUT6f73iuZrOplZUVpVKpVo0sl8vJcRx9+OGHMxGmUufJ+aVSqW1tMYqikd1gcWtrS47jyPM8lUoleZ4n13UnbrBw5ox9bdYVoi5LF3vRbdNiy7JeW+JpcrepdjvIx/F07TY1yg2md3Z2Or7Otu14dXU1LhaLcbFYjFdXV3v+N2q3hLRerw90PdvtHAYzqKFOuG47UjWbTZXL5XM/q1QqXbsLerWystK2eZ9KpWha6lWzPp1Ot32+Vqvp4cOHevDggR48eKCHDx8OXTtPpVIdBwaRDAJ1whUKha4jweVy+Vyz0nEcBUFgLFQrlUrbpmkul9P6+rqR80yzi19q48DN9iYPgToFeqmlXuw7zWQyiqJo6FpMNptVFEUd+wkLhYKq1aqxAJ9GruuO/YvFdV2trq6O9ZzojECdAr3UUjc2Nl6rRaZSKQVBoPX19b7nO6bTaVWrVQVB0NOKodPZA8VisedgXV1dnalAKBQK2tzc7PlaW5al5eXloc5ZLpe1trZ2pb/MJslcHF+y/hFGdKtZ9tNkC4Kg6wqkbqO4YRjK932FYfjaPeJt224tz8zlckNN92k0Gq2dli5Ovzp7jtPA7/R79XqNuh1nkBFu3/c7jsKfzoxo994gCF67O0E2mz13DRqNRsd+6E7nOKvTNZfUumOA67oTs6JuFhGoAGAITX4AMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBDCFQAMIRABQBD/h+fh1Gb7+ZNngAAAABJRU5ErkJggg==   mediatype: image/png  install:   spec:    clusterPermissions:    - rules:     - apiGroups:      - ""      resources:      - configmaps      - events      - namespaces      - serviceaccounts      - services      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - ""      resources:      - pods      - secrets      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - acme.cert-manager.io      resources:      - challenges      - challenges/finalizers      - challenges/status      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - acme.cert-manager.io      resources:      - challenges      - challenges/finalizers      - challenges/status      - orders      - orders/finalizers      - orders/status      verbs:      - create      - delete      - deletecollection      - get      - list      - patch      - update      - watch     - apiGroups:      - admissionregistration.k8s.io      resources:      - mutatingwebhookconfigurations      - validatingwebhookconfigurations      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - apiextensions.k8s.io      resources:      - customresourcedefinitions      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - apiregistration.k8s.io      resources:      - apiservices      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - apps      resources:      - deployments      - replicasets      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - cert-manager.io      resources:      - certificaterequests      - certificaterequests/finalizers      - certificaterequests/status      - certificates      - certificates/finalizers      - certificates/status      - clusterissuers      - clusterissuers/status      - issuers      - issuers/status      verbs:      - create      - delete      - deletecollection      - get      - list      - patch      - update      - watch     - apiGroups:      - cert-manager.io      resourceNames:      - clusterissuers.cert-manager.io/*      - issuers.cert-manager.io/*      resources:      - signers      verbs:      - approve     - apiGroups:      - certificates.k8s.io      resources:      - certificatesigningrequests      - certificatesigningrequests/status      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - certificates.k8s.io      resources:      - signers      verbs:      - create      - delete      - get      - list      - patch      - sign      - update      - watch     - apiGroups:      - config.openshift.io      resources:      - certmanagers      - clusteroperators      - clusteroperators/status      - infrastructures      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - coordination.k8s.io      resources:      - leases      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - gateway.networking.k8s.io      resources:      - gateways      - gateways/finalizers      - httproutes      - httproutes/finalizers      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - networking.k8s.io      resources:      - ingresses      - ingresses/finalizers      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - operator.openshift.io      resources:      - certmanagers      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - operator.openshift.io      resources:      - certmanagers/finalizers      verbs:      - update     - apiGroups:      - operator.openshift.io      resources:      - certmanagers/status      verbs:      - get      - patch      - update     - apiGroups:      - operator.openshift.io      resources:      - istiocsrs      verbs:      - get      - list      - patch      - update      - watch     - apiGroups:      - operator.openshift.io      resources:      - istiocsrs/finalizers      verbs:      - update     - apiGroups:      - operator.openshift.io      resources:      - istiocsrs/status      verbs:      - get      - patch      - update     - apiGroups:      - rbac.authorization.k8s.io      resources:      - clusterrolebindings      - clusterroles      - rolebindings      - roles      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - route.openshift.io      resources:      - routes      - routes/custom-host      verbs:      - create      - delete      - get      - list      - patch      - update      - watch     - apiGroups:      - authentication.k8s.io      resources:      - tokenreviews      verbs:      - create     - apiGroups:      - authorization.k8s.io      resources:      - subjectaccessreviews      verbs:      - create     serviceAccountName: cert-manager-operator-controller-manager    deployments:    - label:      app.kubernetes.io/component: manager      app.kubernetes.io/created-by: cert-manager-operator      app.kubernetes.io/instance: controller-manager      app.kubernetes.io/managed-by: kustomize      app.kubernetes.io/name: deployment      app.kubernetes.io/part-of: cert-manager-operator     name: cert-manager-operator-controller-manager     spec:      replicas: 1      selector:       matchLabels:        name: cert-manager-operator      strategy: {}      template:       metadata:        annotations:         kubectl.kubernetes.io/default-container: cert-manager-operator        creationTimestamp: null        labels:         name: cert-manager-operator       spec:        affinity:         nodeAffinity:          requiredDuringSchedulingIgnoredDuringExecution:           nodeSelectorTerms:           - matchExpressions:            - key: kubernetes.io/arch             operator: In             values:             - amd64             - arm64             - ppc64le             - s390x            - key: kubernetes.io/os             operator: In             values:             - linux        containers:        - args:         - start         - --v=$(OPERATOR_LOG_LEVEL)         - --trusted-ca-configmap=$(TRUSTED_CA_CONFIGMAP_NAME)         - --cloud-credentials-secret=$(CLOUD_CREDENTIALS_SECRET_NAME)         - --unsupported-addon-features=$(UNSUPPORTED_ADDON_FEATURES)         command:         - /usr/bin/cert-manager-operator         env:         - name: WATCH_NAMESPACE          valueFrom:           fieldRef:            fieldPath: metadata.annotations['olm.targetNamespaces']         - name: POD_NAME          valueFrom:           fieldRef:            fieldPath: metadata.name         - name: OPERATOR_NAME          value: cert-manager-operator         - name: RELATED_IMAGE_CERT_MANAGER_WEBHOOK          value: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3         - name: RELATED_IMAGE_CERT_MANAGER_CA_INJECTOR          value: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3         - name: RELATED_IMAGE_CERT_MANAGER_CONTROLLER          value: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3         - name: RELATED_IMAGE_CERT_MANAGER_ACMESOLVER          value: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:20efff60a0caf5eafb38986fd21611697b5bc534c2e789da233983a9739938ed         - name: RELATED_IMAGE_CERT_MANAGER_ISTIOCSR          value: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:9573d74bd2b926ec94af76f813e6358f14c5b2f4e0eedab7c1ff1070b7279a5c         - name: OPERAND_IMAGE_VERSION          value: 1.15.5         - name: ISTIOCSR_OPERAND_IMAGE_VERSION          value: 0.14.0         - name: OPERATOR_IMAGE_VERSION          value: 1.15.1         - name: OPERATOR_LOG_LEVEL          value: "2"         - name: TRUSTED_CA_CONFIGMAP_NAME         - name: CLOUD_CREDENTIALS_SECRET_NAME         - name: UNSUPPORTED_ADDON_FEATURES         image: registry.redhat.io/cert-manager/cert-manager-operator-rhel9@sha256:f328263e2d29e34ede65e4501f0447b2d9f84e9445a365c2fa2fbb253939e274         imagePullPolicy: IfNotPresent         name: cert-manager-operator         ports:         - containerPort: 8443          name: https          protocol: TCP         resources:          requests:           cpu: 10m           memory: 32Mi         securityContext:          allowPrivilegeEscalation: false          capabilities:           drop:           - ALL          privileged: false          runAsNonRoot: true          seccompProfile:           type: RuntimeDefault        securityContext:         runAsNonRoot: true         seccompProfile:          type: RuntimeDefault        serviceAccountName: cert-manager-operator-controller-manager        terminationGracePeriodSeconds: 10    permissions:    - rules:     - apiGroups:      - ""      resources:      - configmaps      verbs:      - get      - list      - watch      - create      - update      - patch      - delete     - apiGroups:      - coordination.k8s.io      resources:      - leases      verbs:      - get      - list      - watch      - create      - update      - patch      - delete     - apiGroups:      - ""      resources:      - events      verbs:      - create      - patch     serviceAccountName: cert-manager-operator-controller-manager   strategy: deployment  installModes:  - supported: true   type: OwnNamespace  - supported: true   type: SingleNamespace  - supported: false   type: MultiNamespace  - supported: true   type: AllNamespaces  keywords:  - cert-manager  - cert-manager-operator  - cert  - certificates  - security  - TLS  links:  - name: Documentation   url: https://github.com/openshift/cert-manager-operator/blob/master/README.md  maintainers:  - email: support@redhat.com   name: Red Hat Support  maturity: stable  minKubeVersion: 1.25.0  provider:   name: Red Hat  relatedImages:  - image: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3   name: cert-manager-webhook  - image: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3   name: cert-manager-ca-injector  - image: registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9@sha256:6af3ee8b2a5a87042fb7158bda8d6cf2e6324d1e265974acf77214d4cd0ea0d3   name: cert-manager-controller  - image: registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:20efff60a0caf5eafb38986fd21611697b5bc534c2e789da233983a9739938ed   name: cert-manager-acmesolver  - image: registry.redhat.io/cert-manager/cert-manager-istio-csr-rhel9@sha256:9573d74bd2b926ec94af76f813e6358f14c5b2f4e0eedab7c1ff1070b7279a5c   name: cert-manager-istiocsr  replaces: cert-manager-operator.v1.15.0  version: 1.15.1 status:  cleanup: {}  conditions:  - lastTransitionTime: "2025-04-06T22:10:41Z"   lastUpdateTime: "2025-04-06T22:10:41Z"   message: requirements not yet checked   phase: Pending   reason: RequirementsUnknown  - lastTransitionTime: "2025-04-06T22:10:41Z"   lastUpdateTime: "2025-04-06T22:10:41Z"   message: one or more requirements couldn't be found   phase: Pending   reason: RequirementsNotMet  - lastTransitionTime: "2025-04-06T22:10:43Z"   lastUpdateTime: "2025-04-06T22:10:43Z"   message: all requirements found, attempting install   phase: InstallReady   reason: AllRequirementsMet  - lastTransitionTime: "2025-04-06T22:10:43Z"   lastUpdateTime: "2025-04-06T22:10:43Z"   message: waiting for install components to report healthy   phase: Installing   reason: InstallSucceeded  - lastTransitionTime: "2025-04-06T22:10:43Z"   lastUpdateTime: "2025-04-06T22:10:43Z"   message: 'installing: waiting for deployment cert-manager-operator-controller-manager    to become ready: deployment "cert-manager-operator-controller-manager" not available:    Deployment does not have minimum availability.'   phase: Installing   reason: InstallWaiting  - lastTransitionTime: "2025-04-06T22:10:55Z"   lastUpdateTime: "2025-04-06T22:10:55Z"   message: install strategy completed with no errors   phase: Succeeded   reason: InstallSucceeded  lastTransitionTime: "2025-04-06T22:10:55Z"  lastUpdateTime: "2025-04-06T22:10:55Z"  message: The operator is running in cert-manager-operator but is managing this namespace  phase: Succeeded  reason: Copied  requirementStatus:  - group: operators.coreos.com   kind: ClusterServiceVersion   message: CSV minKubeVersion (1.25.0) less than server version (v1.31.5)   name: cert-manager-operator.v1.15.1   status: Present   version: v1alpha1  - group: apiextensions.k8s.io   kind: CustomResourceDefinition   message: CRD is present and Established condition is true   name: certificaterequests.cert-manager.io   status: Present   uuid: e6c090e0-e789-40fb-a6bc-1a18af0102c3   version: v1  - group: apiextensions.k8s.io   kind: CustomResourceDefinition   message: CRD is present and Established condition is true   name: certificates.cert-manager.io   status: Present   uuid: 84cf9fbd-1b30-42a7-ba6b-a90c4910bfab   version: v1  - group: apiextensions.k8s.io   kind: CustomResourceDefinition   message: CRD is present and Established condition is true   name: certmanagers.operator.openshift.io   status: Present   uuid: 74d29fe2-17aa-4974-b2ab-7d3b58a5221f   version: v1  - group: apiextensions.k8s.io   kind: CustomResourceDefinition   message: CRD is present and Established condition is true   name: challenges.acme.cert-manager.io   status: Present   uuid: 5d76cd3c-e1e7-4499-b4e7-f18e5495dd79   version: v1  - group: apiextensions.k8s.io   kind: CustomResourceDefinition   message: CRD is present and Established condition is true   name: clusterissuers.cert-manager.io   status: Present   uuid: d98e3865-b83d-455e-808f-85c304325fc1   version: v1  - group: apiextensions.k8s.io   kind: CustomResourceDefinition   message: CRD is present and Established condition is true   name: issuers.cert-manager.io   status: Present   uuid: 44d8db10-759f-4dd4-9b8e-351ebfa83c9c   version: v1  - group: apiextensions.k8s.io   kind: CustomResourceDefinition   message: CRD is present and Established condition is true   name: istiocsrs.operator.openshift.io   status: Present   uuid: 5d8f062b-fc85-450a-af48-4b536877c434   version: v1  - group: apiextensions.k8s.io   kind: CustomResourceDefinition   message: CRD is present and Established condition is true   name: orders.acme.cert-manager.io   status: Present   uuid: c3939a3d-cce0-45d9-acdc-b3c899d0ff60   version: v1  - dependents:   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":[""],"resources":["configmaps","events","namespaces","serviceaccounts","services"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":[""],"resources":["pods","secrets"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["acme.cert-manager.io"],"resources":["challenges","challenges/finalizers","challenges/status"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","deletecollection","get","list","patch","update","watch"],"apiGroups":["acme.cert-manager.io"],"resources":["challenges","challenges/finalizers","challenges/status","orders","orders/finalizers","orders/status"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["admissionregistration.k8s.io"],"resources":["mutatingwebhookconfigurations","validatingwebhookconfigurations"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["apiextensions.k8s.io"],"resources":["customresourcedefinitions"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["apiregistration.k8s.io"],"resources":["apiservices"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["apps"],"resources":["deployments","replicasets"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","deletecollection","get","list","patch","update","watch"],"apiGroups":["cert-manager.io"],"resources":["certificaterequests","certificaterequests/finalizers","certificaterequests/status","certificates","certificates/finalizers","certificates/status","clusterissuers","clusterissuers/status","issuers","issuers/status"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["approve"],"apiGroups":["cert-manager.io"],"resources":["signers"],"resourceNames":["clusterissuers.cert-manager.io/*","issuers.cert-manager.io/*"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["certificates.k8s.io"],"resources":["certificatesigningrequests","certificatesigningrequests/status"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","sign","update","watch"],"apiGroups":["certificates.k8s.io"],"resources":["signers"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["config.openshift.io"],"resources":["certmanagers","clusteroperators","clusteroperators/status","infrastructures"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["coordination.k8s.io"],"resources":["leases"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["gateway.networking.k8s.io"],"resources":["gateways","gateways/finalizers","httproutes","httproutes/finalizers"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["networking.k8s.io"],"resources":["ingresses","ingresses/finalizers"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["operator.openshift.io"],"resources":["certmanagers"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["update"],"apiGroups":["operator.openshift.io"],"resources":["certmanagers/finalizers"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["get","patch","update"],"apiGroups":["operator.openshift.io"],"resources":["certmanagers/status"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["get","list","patch","update","watch"],"apiGroups":["operator.openshift.io"],"resources":["istiocsrs"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["update"],"apiGroups":["operator.openshift.io"],"resources":["istiocsrs/finalizers"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["get","patch","update"],"apiGroups":["operator.openshift.io"],"resources":["istiocsrs/status"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["rbac.authorization.k8s.io"],"resources":["clusterrolebindings","clusterroles","rolebindings","roles"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["route.openshift.io"],"resources":["routes","routes/custom-host"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create"],"apiGroups":["authentication.k8s.io"],"resources":["tokenreviews"]}    status: Satisfied    version: v1   - group: rbac.authorization.k8s.io    kind: PolicyRule    message: cluster rule:{"verbs":["create"],"apiGroups":["authorization.k8s.io"],"resources":["subjectaccessreviews"]}    status: Satisfied    version: v1   group: ""   kind: ServiceAccount   message: ""   name: cert-manager-operator-controller-manager   status: Present   version: v1// code placeholder
Expected result: Please remove clusterPermissions in Operator CSVs. Use just "permissions" instead. Thanks.
Â
- impacts account
-
CM-565 CSV cert-manager-operator.v1.15.1 has cluster permissions
-
- Closed
-
