[epic] ClusterExtension uses service account provided in spec to manage content

[joelanford]

Follow least privilege principle and reduce confused deputy problems by limiting the scope of OLM v1’s permissions. Instead, have users provide a ServiceAccount with the necessary permissions to manage an extension.

For more information on this feature, please see the following documents:

• brief
• rfc

Tasks

• [x] #971
• [x] #972
• [x] #973
• [x] #974
• [x] #975
• [x] #976
• [x] #977

[joelanford]

I've done some hacking today to get support into helm-operator-plugins and rukpak for specifying and using a service account https://github.com/operator-framework/rukpak/pull/857

I know we're looking to eliminate the separate rukpak controller's but perhaps these changes are useful in some way if we reuse or vendor helm-operator-plugins and/or rukpak code.

[varshaprasad96]

Related https://github.com/operator-framework/operator-controller/issues/840

[skattoju]

/assign

[joelanford]

By the way, I think this particular feature is going to be a fairly complex change that will require some upfront design.

@skattoju if you want to pick this up, can we do a kickoff meeting to discuss the high level goals and talk through some of the implications? And I think we'll want to put together a design doc for this one once we figure out what the plan is.

The issue that @varshaprasad96 linked has a bunch of the context.

[skattoju]

Definitely! I'll set something up 👍

[skattoju]

i have started a PoC i am still testing to see if it works.. https://github.com/skattoju/operator-controller/tree/sa_from_spec_poc

[joelanford]

@everettraven

Just checking to see if this epic is still in correct state ("Needs Docs")? I see a doc task in the description that is closed and there are no open issues. Can we close this out?

[everettraven]

@joelanford looks like the PR for that docs issue just merged today, should be good to close it out!