Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

📖 ServiceAccount conflicts with OLMV1 when deploying existing bundles using OLMV1 #1376

Open
rashmi43 opened this issue Oct 15, 2024 · 3 comments
Open

📖 ServiceAccount conflicts with OLMV1 when deploying existing bundles using OLMV1 #1376

rashmi43 opened this issue Oct 15, 2024 · 3 comments

Comments

@rashmi43
Copy link
Contributor

Existing CSV contains:
deployment template
RBAC
ServiceAccount

When deployed as a ClusterExtension the permissions with the deployment are the ones from its CSV. The CE permissions are not added to the deployment. If the service account name is same, there is an conflict when deploying the CE.

Expectation:
The ClusterExtension service account and permissions should be propogated to the deployment. Alternatively, the deployment controller serviceAccount should be overwritten with that listed in the ClusterExtension.
@rashmi43 rashmi43 changed the title ServiceAccount conflicts with OLMV1 when deploying existing bundles using OLMV1 🐛 ServiceAccount conflicts with OLMV1 when deploying existing bundles using OLMV1 Oct 15, 2024
@joelanford
Copy link
Member

joelanford commented Oct 15, 2024
edited
Loading

When deployed as a ClusterExtension the permissions with the deployment are the ones from its CSV

This is expected. Operator-controller generates a service account for the deployment and RBAC for the service account based on the contents of the CSV in much the same way that OLMv0 does.

The CE permissions are not added to the deployment

This is also expected. The CE service account and the bundle's service accounts are for different purposes.

  • For registry+v1 bundles, the deployment's service account is separate. Its RBAC is derived purely from the RBAC that is defined in the CSV.
  • The CE service account manages the lifecycle of the bundle contents. So it requires RBAC that allows it to manage that lifecycle. This means it needs permission to CRUD the manifests that are defined by the bundle. Also note that since the bundle contains RBAC, that means the CE service account requires either:
    • bind/escalate verbs for RBAC, OR
    • the same set of permissions that are defined in the RBAC that it is trying to create.

See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping

If the service account name is same, there is an conflict when deploying the CE.

That's correct. The CE service account is used to install/lifecycle bundle content and the deployment service account is used by the controller for the controller to perform its function. They need to be separate.

@joelanford
Copy link
Member

I think this is working as intended, but perhaps we should beef up our docs (maybe a new concept doc around OLMv1's permissions model) to clarify this intent.

@rashmi43 rashmi43 changed the title 🐛 ServiceAccount conflicts with OLMV1 when deploying existing bundles using OLMV1 📖 ServiceAccount conflicts with OLMV1 when deploying existing bundles using OLMV1 Oct 16, 2024
@rashmi43
Copy link
Contributor Author

I will work with @perdasilva to get a new document around the OLMv1 permission model

@rashmi43 rashmi43 mentioned this issue Oct 16, 2024
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joelanford @rashmi43