DanielePalaia
commented
3 months ago I made a PR to limit the permissions give at clusterrole: https://github.com/rabbitmq/OLM-Package-Repo/pull/20
But after exploring more the topic this may not be necessary.
As explained here: https://olm.operatorframework.io/docs/advanced-tasks/operator-scoping-with-operatorgroups/
In the section "Scoping Member Operator Permissions" when defining an OperatorGroup the admin can override the service account specified in the csv and specify his own limiting the set of permissions.
Having a look to other operators published like Redis:
They are using the same approach and they are garantee the singleNamespace mode installation.
We also now correctly support the OPERATOR_SCOPE_NAMESPACE env variable in the csv.
Is your feature request related to a problem? Please describe.
This issue to review the permission model (clusterpermission and permission) we assign to our manifest.
OLM uses a combination of permissions at cluster and namespace level like described here: https://medium.com/@nathanpbrophy/olm-and-operator-permissions-declassified-54cd1465f2b4 https://olm.operatorframework.io/docs/advanced-tasks/operator-scoping-with-operatorgroups/
At the moment as cluster-permission we specify the same set of permissions that we define in the rabbitmq-cluster-operator-role ClusterRole in our manifest: https://github.com/rabbitmq/cluster-operator/releases/download/v2.7.0/cluster-operator.yml
I think we can reduce and move these permissions at namespace level (in the permission field)
Describe the solution you'd like
Minimal set possible of cluster-permission for the operator
Describe alternatives you've considered
No response
Additional context
No response