Docs: Derive minimal service account needed to install a bundle

[perdasilva]

Write user documentation describing how to derive the minimal service account needed to install a bundle. If documentation already exists, review it and ensure it is still accurate and up-to-date.

A/C:

• Call out OLM v1 security stance (secure by default)
• Explain installing a CE requires a Service Account
• Describe how to derive the minimal RBAC for the installer service account:
  • ClusterRole with all the roles in the CSV
  • CE finalizer
  • Role for the namespace scoped bundle contents
  • ClusterRole with all the cluster scoped bundle contents (CRDS + some openshift specific ones) as well as ClusterRoles and ClusterRoleBindings
  • All rules in all the Roles and Cluster roles
  • Call out making installer SA admin as a (non-production) workaround (as an example, kubectl command to do it in KIND)

Open Question:

• Is there a standard admin ClusterRole that is present in all/any/most k8s distributions? (seems to be the case, see: https://kubernetes.io/docs/reference/access-authn-authz/rbac/)

Reach out if you have any questions please reach out on Slack

Current documentation is posted up at https://operator-framework.github.io/operator-controller/ New docs should be placed in docs/drafts

[rashmi43]

I would like to take up this task

[rashmi43]

/assign rashmi43

[LalatenduMohanty]

PR under review https://github.com/operator-framework/operator-controller/pull/1238