Write user documentation describing how to derive the minimal service account needed to install a bundle. If documentation already exists, review it and ensure it is still accurate and up-to-date.
A/C:
Call out OLM v1 security stance (secure by default)
Explain installing a CE requires a Service Account
Describe how to derive the minimal RBAC for the installer service account:
ClusterRole with all the roles in the CSV
CE finalizer
Role for the namespace scoped bundle contents
ClusterRole with all the cluster scoped bundle contents (CRDS + some openshift specific ones) as well as ClusterRoles and ClusterRoleBindings
All rules in all the Roles and Cluster roles
Call out making installer SA admin as a (non-production) workaround (as an example, kubectl command to do it in KIND)
Write user documentation describing how to derive the minimal service account needed to install a bundle. If documentation already exists, review it and ensure it is still accurate and up-to-date.
A/C:
Open Question:
Reach out if you have any questions please reach out on Slack
Current documentation is posted up at https://operator-framework.github.io/operator-controller/ New docs should be placed in docs/drafts