From d192d08df586e35d32fdbcb2c76157824da99cbd Mon Sep 17 00:00:00 2001 From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com> Date: Mon, 12 Jan 2026 12:59:54 +0000 Subject: [PATCH 1/3] test: Add RBAC escalation test for installer ServiceAccount permissions Add rbac-escalation-operator test bundle and e2e scenario to validate that the ClusterExtension installer ServiceAccount can install operators with diverse RBAC requirements. This operator requires storage.k8s.io and scheduling.k8s.io permissions that differ from the basic test-operator, ensuring the installer SA's bind/escalate verbs are properly exercised per the documented permission model in docs/concepts/permission-model.md. The test validates: - Installer SA can create RBAC for operators with different permissions - Kubernetes escalation prevention works with bind/escalate verbs - OLMv1 permission model supports diverse operator requirements - Regression prevention for RBAC permission issues --- test/e2e/features/rbac-escalation.feature | 37 ++++++++ ...lation-operator.clusterserviceversion.yaml | 84 +++++++++++++++++++ .../v1.0.0/metadata/annotations.yaml | 7 ++ .../test-catalog/v1/configs/catalog.yaml | 20 +++++ 4 files changed, 148 insertions(+) create mode 100644 test/e2e/features/rbac-escalation.feature create mode 100644 testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml create mode 100644 testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml diff --git a/test/e2e/features/rbac-escalation.feature b/test/e2e/features/rbac-escalation.feature new file mode 100644 index 0000000000..75b33e68f4 --- /dev/null +++ b/test/e2e/features/rbac-escalation.feature @@ -0,0 +1,37 @@ +Feature: RBAC Permissions for Extension Installation + + Background: + Given OLM is available + And ClusterCatalog "test" serves bundles + And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE} + + # This test verifies that the ClusterExtension installer ServiceAccount has the necessary + # RBAC permissions to install operators with different permission requirements. + # + # The rbac-escalation-operator requires permissions beyond what test-operator needs, + # testing that the installer SA can create ClusterRoleBindings for roles with + # permissions the SA itself doesn't directly possess (via bind/escalate verbs). + # + # See: docs/concepts/permission-model.md for OLMv1 permission requirements + Scenario: Install operator with different RBAC requirements + When ClusterExtension is applied + """ + apiVersion: olm.operatorframework.io/v1 + kind: ClusterExtension + metadata: + name: rbac-escalation-test + spec: + namespace: ${TEST_NAMESPACE} + serviceAccount: + name: olm-sa + source: + sourceType: Catalog + catalog: + packageName: rbac-escalation-operator + selector: + matchLabels: + "olm.operatorframework.io/metadata.name": test-catalog + """ + Then ClusterExtension is available + And bundle "rbac-escalation-operator.1.0.0" is installed in version "1.0.0" + diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml new file mode 100644 index 0000000000..20cbe3018e --- /dev/null +++ b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml @@ -0,0 +1,84 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + name: rbac-escalation-operator.v1.0.0 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: [] + description: Test operator for validating RBAC escalation handling with diverse permission requirements + displayName: RBAC Escalation Test Operator + install: + spec: + deployments: + - name: rbac-escalation-operator + spec: + replicas: 1 + selector: + matchLabels: + app: rbac-escalation + template: + metadata: + labels: + app: rbac-escalation + spec: + terminationGracePeriodSeconds: 0 + containers: + - name: manager + image: busybox:1.37 + command: ["/bin/sh", "-c", "sleep 3600"] + serviceAccountName: rbac-escalation-sa + # These permissions differ from test-operator's requirements to validate + # that the installer SA can handle operators with diverse RBAC needs + clusterPermissions: + - rules: + # Requires storage.k8s.io permissions to test RBAC escalation handling + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - create + - update + - delete + - list + - watch + - get + # Requires scheduling.k8s.io permissions to test diverse RBAC scenarios + - apiGroups: + - scheduling.k8s.io + resources: + - priorityclasses + verbs: + - create + - update + - delete + - list + - watch + - get + serviceAccountName: rbac-escalation-sa + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - rbac-testing + - escalation + links: + - name: RBAC Escalation Operator + url: https://github.com/operator-framework/operator-controller + maintainers: + - email: dev@operatorframework.io + name: OLM Team + maturity: alpha + provider: + name: Operator Framework + url: https://operatorframework.io + version: 1.0.0 diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml new file mode 100644 index 0000000000..1f678362f5 --- /dev/null +++ b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml @@ -0,0 +1,7 @@ +annotations: + operators.operatorframework.io.bundle.channel.default.v1: stable + operators.operatorframework.io.bundle.channels.v1: stable + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: rbac-escalation-operator diff --git a/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml b/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml index 111c75f42c..45b2def379 100644 --- a/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml +++ b/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml @@ -159,3 +159,23 @@ properties: value: packageName: single-namespace-operator version: 1.0.0 +--- +schema: olm.package +name: rbac-escalation-operator +defaultChannel: stable +--- +schema: olm.channel +name: stable +package: rbac-escalation-operator +entries: + - name: rbac-escalation-operator.1.0.0 +--- +schema: olm.bundle +name: rbac-escalation-operator.1.0.0 +package: rbac-escalation-operator +image: docker-registry.operator-controller-e2e.svc.cluster.local:5000/bundles/registry-v1/rbac-escalation-operator:v1.0.0 +properties: + - type: olm.package + value: + packageName: rbac-escalation-operator + version: 1.0.0 From 39e8526d203396e19c0d397d54795bdb314c6c5c Mon Sep 17 00:00:00 2001 From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com> Date: Mon, 12 Jan 2026 13:24:23 +0000 Subject: [PATCH 2/3] fix: Add documented RBAC prerequisites to test template Add bind and escalate verbs to test RBAC template to comply with documented prerequisites in docs/concepts/permission-model.md. These verbs are REQUIRED per our documentation for installer ServiceAccounts that install operators with their own RBAC. The missing prerequisites were exposed by the rbac-escalation e2e test, which uses an operator requiring permissions the test SA doesn't have (storage.k8s.io, scheduling.k8s.io). Without bind/escalate verbs, Kubernetes rejects the ClusterRoleBinding creation with escalation prevention errors. Previous tests passed because they only used test-operator, which has minimal RBAC (tokenreviews, subjectaccessreviews) that the test SA coincidentally already has. This created false confidence and hid the incomplete RBAC template. Fixes: rbac-escalation e2e test Aligns: test template with docs/concepts/permission-model.md See: https://github.com/operator-framework/operator-controller/actions/runs/20920337864/job/60103970542?pr=2441 --- test/e2e/steps/testdata/rbac-template.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/e2e/steps/testdata/rbac-template.yaml b/test/e2e/steps/testdata/rbac-template.yaml index d975d76988..0d44f9d7bd 100644 --- a/test/e2e/steps/testdata/rbac-template.yaml +++ b/test/e2e/steps/testdata/rbac-template.yaml @@ -50,7 +50,11 @@ rules: - roles - clusterrolebindings - rolebindings - verbs: [ update, create, list, watch, get, delete, patch ] + # The bind and escalate verbs allow the ServiceAccount to create role bindings + # for roles it doesn't have and grant permissions beyond its own. This is required + # because extension bundles contain their own RBAC that must be created. + # See docs/concepts/permission-model.md for details on these requirements. + verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: [ update, create, list, watch, get, delete, patch ] From bf17ecc4c3107818f4c6bf4c8d6bd6ed902fb72d Mon Sep 17 00:00:00 2001 From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com> Date: Mon, 12 Jan 2026 14:28:26 +0000 Subject: [PATCH 3/3] fix: Add health probes to rbac-escalation-operator deployment Add startup, liveness, and readiness probes to rbac-escalation-operator deployment so the pod can report ready status and the ClusterExtension can reach Available condition. Without probes, the deployment never reports ready, causing the test to timeout waiting for 'ClusterExtension is available'. Fixes: rbac-escalation.feature test availability check --- test/e2e/features/rbac-escalation.feature | 3 ++- ...lation-operator.clusterserviceversion.yaml | 21 ++++++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/test/e2e/features/rbac-escalation.feature b/test/e2e/features/rbac-escalation.feature index 75b33e68f4..f13345bfa4 100644 --- a/test/e2e/features/rbac-escalation.feature +++ b/test/e2e/features/rbac-escalation.feature @@ -32,6 +32,7 @@ Feature: RBAC Permissions for Extension Installation matchLabels: "olm.operatorframework.io/metadata.name": test-catalog """ - Then ClusterExtension is available + Then ClusterExtension is rolled out + And ClusterExtension is available And bundle "rbac-escalation-operator.1.0.0" is installed in version "1.0.0" diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml index 20cbe3018e..bb5d1b513c 100644 --- a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml +++ b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml @@ -27,7 +27,26 @@ spec: containers: - name: manager image: busybox:1.37 - command: ["/bin/sh", "-c", "sleep 3600"] + command: ["/bin/sh"] + args: ["-c", "mkdir -p /tmp && (while true; do echo 'OK' | nc -l -p 8080; done)"] + ports: + - containerPort: 8080 + protocol: TCP + startupProbe: + tcpSocket: + port: 8080 + failureThreshold: 30 + periodSeconds: 1 + livenessProbe: + tcpSocket: + port: 8080 + failureThreshold: 1 + periodSeconds: 2 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 1 serviceAccountName: rbac-escalation-sa # These permissions differ from test-operator's requirements to validate # that the installer SA can handle operators with diverse RBAC needs