diff --git a/test/e2e/features/rbac-escalation.feature b/test/e2e/features/rbac-escalation.feature new file mode 100644 index 0000000000..f13345bfa4 --- /dev/null +++ b/test/e2e/features/rbac-escalation.feature @@ -0,0 +1,38 @@ +Feature: RBAC Permissions for Extension Installation + + Background: + Given OLM is available + And ClusterCatalog "test" serves bundles + And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} + + # This test verifies that the ClusterExtension installer ServiceAccount has the necessary + # RBAC permissions to install operators with different permission requirements. + # + # The rbac-escalation-operator requires permissions beyond what test-operator needs, + # testing that the installer SA can create ClusterRoleBindings for roles with + # permissions the SA itself doesn't directly possess (via bind/escalate verbs). + # + # See: docs/concepts/permission-model.md for OLMv1 permission requirements + Scenario: Install operator with different RBAC requirements + When ClusterExtension is applied + """ + apiVersion: olm.operatorframework.io/v1 + kind: ClusterExtension + metadata: + name: rbac-escalation-test + spec: + namespace: ${TEST_NAMESPACE} + serviceAccount: + name: olm-sa + source: + sourceType: Catalog + catalog: + packageName: rbac-escalation-operator + selector: + matchLabels: + "olm.operatorframework.io/metadata.name": test-catalog + """ + Then ClusterExtension is rolled out + And ClusterExtension is available + And bundle "rbac-escalation-operator.1.0.0" is installed in version "1.0.0" + diff --git a/test/e2e/steps/testdata/rbac-template.yaml b/test/e2e/steps/testdata/rbac-template.yaml index d975d76988..0d44f9d7bd 100644 --- a/test/e2e/steps/testdata/rbac-template.yaml +++ b/test/e2e/steps/testdata/rbac-template.yaml @@ -50,7 +50,11 @@ rules: - roles - clusterrolebindings - rolebindings - verbs: [ update, create, list, watch, get, delete, patch ] + # The bind and escalate verbs allow the ServiceAccount to create role bindings + # for roles it doesn't have and grant permissions beyond its own. This is required + # because extension bundles contain their own RBAC that must be created. + # See docs/concepts/permission-model.md for details on these requirements. + verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: [ update, create, list, watch, get, delete, patch ] diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml new file mode 100644 index 0000000000..bb5d1b513c --- /dev/null +++ b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml @@ -0,0 +1,103 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + name: rbac-escalation-operator.v1.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: [] + description: Test operator for validating RBAC escalation handling with diverse permission requirements + displayName: RBAC Escalation Test Operator + install: + spec: + deployments: + - name: rbac-escalation-operator + spec: + replicas: 1 + selector: + matchLabels: + app: rbac-escalation + template: + metadata: + labels: + app: rbac-escalation + spec: + terminationGracePeriodSeconds: 0 + containers: + - name: manager + image: busybox:1.37 + command: ["/bin/sh"] + args: ["-c", "mkdir -p /tmp && (while true; do echo 'OK' | nc -l -p 8080; done)"] + ports: + - containerPort: 8080 + protocol: TCP + startupProbe: + tcpSocket: + port: 8080 + failureThreshold: 30 + periodSeconds: 1 + livenessProbe: + tcpSocket: + port: 8080 + failureThreshold: 1 + periodSeconds: 2 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 1 + serviceAccountName: rbac-escalation-sa + # These permissions differ from test-operator's requirements to validate + # that the installer SA can handle operators with diverse RBAC needs + clusterPermissions: + - rules: + # Requires storage.k8s.io permissions to test RBAC escalation handling + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - create + - update + - delete + - list + - watch + - get + # Requires scheduling.k8s.io permissions to test diverse RBAC scenarios + - apiGroups: + - scheduling.k8s.io + resources: + - priorityclasses + verbs: + - create + - update + - delete + - list + - watch + - get + serviceAccountName: rbac-escalation-sa + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - rbac-testing + - escalation + links: + - name: RBAC Escalation Operator + url: https://github.com/operator-framework/operator-controller + maintainers: + - email: dev@operatorframework.io + name: OLM Team + maturity: alpha + provider: + name: Operator Framework + url: https://operatorframework.io + version: 1.0.0 diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml new file mode 100644 index 0000000000..1f678362f5 --- /dev/null +++ b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml @@ -0,0 +1,7 @@ +annotations: + operators.operatorframework.io.bundle.channel.default.v1: stable + operators.operatorframework.io.bundle.channels.v1: stable + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: rbac-escalation-operator diff --git a/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml b/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml index 111c75f42c..45b2def379 100644 --- a/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml +++ b/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml @@ -159,3 +159,23 @@ properties: value: packageName: single-namespace-operator version: 1.0.0 +--- +schema: olm.package +name: rbac-escalation-operator +defaultChannel: stable +--- +schema: olm.channel +name: stable +package: rbac-escalation-operator +entries: + - name: rbac-escalation-operator.1.0.0 +--- +schema: olm.bundle +name: rbac-escalation-operator.1.0.0 +package: rbac-escalation-operator +image: docker-registry.operator-controller-e2e.svc.cluster.local:5000/bundles/registry-v1/rbac-escalation-operator:v1.0.0 +properties: + - type: olm.package + value: + packageName: rbac-escalation-operator + version: 1.0.0