test: Add RBAC escalation test for installer ServiceAccount permissions

camilamacedo86 · camilamacedo86 · commit d192d08df586 · 2026-01-12T13:46:39.000Z
Add rbac-escalation-operator test bundle and e2e scenario to validate
that the ClusterExtension installer ServiceAccount can install operators
with diverse RBAC requirements.

This operator requires storage.k8s.io and scheduling.k8s.io permissions
that differ from the basic test-operator, ensuring the installer SA's
bind/escalate verbs are properly exercised per the documented permission
model in docs/concepts/permission-model.md.

The test validates:
- Installer SA can create RBAC for operators with different permissions
- Kubernetes escalation prevention works with bind/escalate verbs
- OLMv1 permission model supports diverse operator requirements
- Regression prevention for RBAC permission issues
diff --git a/test/e2e/features/rbac-escalation.feature b/test/e2e/features/rbac-escalation.feature
@@ -0,0 +1,37 @@
+Feature: RBAC Permissions for Extension Installation
+
+  Background:
+    Given OLM is available
+    And ClusterCatalog "test" serves bundles
+    And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE}
+
+  # This test verifies that the ClusterExtension installer ServiceAccount has the necessary
+  # RBAC permissions to install operators with different permission requirements.
+  #
+  # The rbac-escalation-operator requires permissions beyond what test-operator needs,
+  # testing that the installer SA can create ClusterRoleBindings for roles with
+  # permissions the SA itself doesn't directly possess (via bind/escalate verbs).
+  #
+  # See: docs/concepts/permission-model.md for OLMv1 permission requirements
+  Scenario: Install operator with different RBAC requirements
+    When ClusterExtension is applied
+      """
+      apiVersion: olm.operatorframework.io/v1
+      kind: ClusterExtension
+      metadata:
+        name: rbac-escalation-test
+      spec:
+        namespace: ${TEST_NAMESPACE}
+        serviceAccount:
+          name: olm-sa
+        source:
+          sourceType: Catalog
+          catalog:
+            packageName: rbac-escalation-operator
+            selector:
+              matchLabels:
+                "olm.operatorframework.io/metadata.name": test-catalog
+      """
+    Then ClusterExtension is available
+    And bundle "rbac-escalation-operator.1.0.0" is installed in version "1.0.0"
+
diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml
@@ -0,0 +1,84 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  name: rbac-escalation-operator.v1.0.0
+  namespace: placeholder
+spec:
+  apiservicedefinitions: {}
+  customresourcedefinitions:
+    owned: []
+  description: Test operator for validating RBAC escalation handling with diverse permission requirements
+  displayName: RBAC Escalation Test Operator
+  install:
+    spec:
+      deployments:
+        - name: rbac-escalation-operator
+          spec:
+            replicas: 1
+            selector:
+              matchLabels:
+                app: rbac-escalation
+            template:
+              metadata:
+                labels:
+                  app: rbac-escalation
+              spec:
+                terminationGracePeriodSeconds: 0
+                containers:
+                  - name: manager
+                    image: busybox:1.37
+                    command: ["/bin/sh", "-c", "sleep 3600"]
+                serviceAccountName: rbac-escalation-sa
+      # These permissions differ from test-operator's requirements to validate
+      # that the installer SA can handle operators with diverse RBAC needs
+      clusterPermissions:
+        - rules:
+            # Requires storage.k8s.io permissions to test RBAC escalation handling
+            - apiGroups:
+                - storage.k8s.io
+              resources:
+                - storageclasses
+              verbs:
+                - create
+                - update
+                - delete
+                - list
+                - watch
+                - get
+            # Requires scheduling.k8s.io permissions to test diverse RBAC scenarios
+            - apiGroups:
+                - scheduling.k8s.io
+              resources:
+                - priorityclasses
+              verbs:
+                - create
+                - update
+                - delete
+                - list
+                - watch
+                - get
+          serviceAccountName: rbac-escalation-sa
+    strategy: deployment
+  installModes:
+    - supported: false
+      type: OwnNamespace
+    - supported: false
+      type: SingleNamespace
+    - supported: false
+      type: MultiNamespace
+    - supported: true
+      type: AllNamespaces
+  keywords:
+    - rbac-testing
+    - escalation
+  links:
+    - name: RBAC Escalation Operator
+      url: https://github.com/operator-framework/operator-controller
+  maintainers:
+    - email: dev@operatorframework.io
+      name: OLM Team
+  maturity: alpha
+  provider:
+    name: Operator Framework
+    url: https://operatorframework.io
+  version: 1.0.0
diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml
@@ -0,0 +1,7 @@
+annotations:
+  operators.operatorframework.io.bundle.channel.default.v1: stable
+  operators.operatorframework.io.bundle.channels.v1: stable
+  operators.operatorframework.io.bundle.manifests.v1: manifests/
+  operators.operatorframework.io.bundle.mediatype.v1: registry+v1
+  operators.operatorframework.io.bundle.metadata.v1: metadata/
+  operators.operatorframework.io.bundle.package.v1: rbac-escalation-operator
diff --git a/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml b/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml
@@ -159,3 +159,23 @@ properties:
     value:
       packageName: single-namespace-operator
       version: 1.0.0
+---
+schema: olm.package
+name: rbac-escalation-operator
+defaultChannel: stable
+---
+schema: olm.channel
+name: stable
+package: rbac-escalation-operator
+entries:
+  - name: rbac-escalation-operator.1.0.0
+---
+schema: olm.bundle
+name: rbac-escalation-operator.1.0.0
+package: rbac-escalation-operator
+image: docker-registry.operator-controller-e2e.svc.cluster.local:5000/bundles/registry-v1/rbac-escalation-operator:v1.0.0
+properties:
+  - type: olm.package
+    value:
+      packageName: rbac-escalation-operator
+      version: 1.0.0
