Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs: Derive minimal service account needed to install a bundle #1130

Closed
Tracked by #959
perdasilva opened this issue Aug 14, 2024 · 3 comments · Fixed by #1238
Closed
Tracked by #959

Docs: Derive minimal service account needed to install a bundle #1130

perdasilva opened this issue Aug 14, 2024 · 3 comments · Fixed by #1238
Assignees
@rashmi43
Labels
documentation Improvements or additions to documentation kind/documentation Categorizes issue or PR as related to documentation. v1.0 Issues related to the initial stable release of OLMv1
Milestone
v1.0.0

Comments

@perdasilva
Copy link
Contributor

perdasilva commented Aug 14, 2024
edited
Loading

Write user documentation describing how to derive the minimal service account needed to install a bundle. If documentation already exists, review it and ensure it is still accurate and up-to-date.

A/C:

  • Call out OLM v1 security stance (secure by default)
  • Explain installing a CE requires a Service Account
  • Describe how to derive the minimal RBAC for the installer service account:
    • ClusterRole with all the roles in the CSV
    • CE finalizer
    • Role for the namespace scoped bundle contents
    • ClusterRole with all the cluster scoped bundle contents (CRDS + some openshift specific ones) as well as ClusterRoles and ClusterRoleBindings
    • All rules in all the Roles and Cluster roles
    • Call out making installer SA admin as a (non-production) workaround (as an example, kubectl command to do it in KIND)

Open Question:

Reach out if you have any questions please reach out on Slack

Current documentation is posted up at https://operator-framework.github.io/operator-controller/
New docs should be placed in docs/drafts
@perdasilva perdasilva mentioned this issue Aug 14, 2024
Closed
14 tasks
@perdasilva perdasilva changed the title Derive minimal service account needed to install a bundle Docs: Derive minimal service account needed to install a bundle Aug 14, 2024
@perdasilva perdasilva added documentation Improvements or additions to documentation kind/documentation Categorizes issue or PR as related to documentation. labels Aug 14, 2024
@everettraven everettraven added this to the v1.0.0 milestone Aug 20, 2024
@everettraven everettraven added the v1.0 Issues related to the initial stable release of OLMv1 label Aug 27, 2024
@rashmi43
Copy link
Contributor

I would like to take up this task

@rashmi43
Copy link
Contributor

rashmi43 commented Sep 4, 2024

/assign rashmi43

@trgeiger trgeiger mentioned this issue Sep 6, 2024
Closed
6 tasks
@LalatenduMohanty
Copy link
Member

PR under review #1238

This was referenced Sep 11, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rashmi43 rashmi43

Labels
documentation Improvements or additions to documentation kind/documentation Categorizes issue or PR as related to documentation. v1.0 Issues related to the initial stable release of OLMv1
Projects
OLM v1
Archived in project
Milestone
v1.0.0
4 participants
@perdasilva @LalatenduMohanty @rashmi43 @everettraven