operator-framework · camilamacedo86 · Jan 12, 2026 · Jan 12, 2026 · Jan 12, 2026
diff --git a/test/e2e/features/rbac-escalation.feature b/test/e2e/features/rbac-escalation.feature
@@ -0,0 +1,38 @@
+Feature: RBAC Permissions for Extension Installation
+
+  Background:
+    Given OLM is available
+    And ClusterCatalog "test" serves bundles
+    And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE}
+
+  # This test verifies that the ClusterExtension installer ServiceAccount has the necessary
+  # RBAC permissions to install operators with different permission requirements.
+  #
+  # The rbac-escalation-operator requires permissions beyond what test-operator needs,
+  # testing that the installer SA can create ClusterRoleBindings for roles with
+  # permissions the SA itself doesn't directly possess (via bind/escalate verbs).
+  #
+  # See: docs/concepts/permission-model.md for OLMv1 permission requirements
+  Scenario: Install operator with different RBAC requirements
+    When ClusterExtension is applied
+      """
+      apiVersion: olm.operatorframework.io/v1
+      kind: ClusterExtension
+      metadata:
+        name: rbac-escalation-test
+      spec:
+        namespace: ${TEST_NAMESPACE}
+        serviceAccount:
+          name: olm-sa
+        source:
+          sourceType: Catalog
+          catalog:
+            packageName: rbac-escalation-operator
+            selector:
+              matchLabels:
+                "olm.operatorframework.io/metadata.name": test-catalog
+      """
+    Then ClusterExtension is rolled out
+    And ClusterExtension is available
+    And bundle "rbac-escalation-operator.1.0.0" is installed in version "1.0.0"
+
diff --git a/test/e2e/steps/testdata/rbac-template.yaml b/test/e2e/steps/testdata/rbac-template.yaml
@@ -50,7 +50,11 @@ rules:
       - roles
       - clusterrolebindings
       - rolebindings
-    verbs: [ update, create, list, watch, get, delete, patch ]
+    # The bind and escalate verbs allow the ServiceAccount to create role bindings
+    # for roles it doesn't have and grant permissions beyond its own. This is required
+    # because extension bundles contain their own RBAC that must be created.
+    # See docs/concepts/permission-model.md for details on these requirements.
+    verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: [ update, create, list, watch, get, delete, patch ]

diff --git a/...-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml b/...-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml
@@ -0,0 +1,103 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  name: rbac-escalation-operator.v1.0.0
+  namespace: placeholder
+spec:
+  apiservicedefinitions: {}
+  customresourcedefinitions:
+    owned: []
+  description: Test operator for validating RBAC escalation handling with diverse permission requirements
+  displayName: RBAC Escalation Test Operator
+  install:
+    spec:
+      deployments:
+        - name: rbac-escalation-operator
+          spec:
+            replicas: 1
+            selector:
+              matchLabels:
+                app: rbac-escalation
+            template:
+              metadata:
+                labels:
+                  app: rbac-escalation
+              spec:
+                terminationGracePeriodSeconds: 0
+                containers:
+                  - name: manager
+                    image: busybox:1.37
+                    command: ["/bin/sh"]
+                    args: ["-c", "mkdir -p /tmp && (while true; do echo 'OK' | nc -l -p 8080; done)"]
+                    ports:
+                      - containerPort: 8080
+                        protocol: TCP
+                    startupProbe:
+                      tcpSocket:
+                        port: 8080
+                      failureThreshold: 30
+                      periodSeconds: 1
+                    livenessProbe:
+                      tcpSocket:
+                        port: 8080
+                      failureThreshold: 1
+                      periodSeconds: 2
+                    readinessProbe:
+                      tcpSocket:
+                        port: 8080
+                      initialDelaySeconds: 1
+                      periodSeconds: 1
+                serviceAccountName: rbac-escalation-sa
+      # These permissions differ from test-operator's requirements to validate
+      # that the installer SA can handle operators with diverse RBAC needs
+      clusterPermissions:
+        - rules:
+            # Requires storage.k8s.io permissions to test RBAC escalation handling
+            - apiGroups:
+                - storage.k8s.io
+              resources:
+                - storageclasses
+              verbs:
+                - create
+                - update
+                - delete
+                - list
+                - watch
+                - get
+            # Requires scheduling.k8s.io permissions to test diverse RBAC scenarios
+            - apiGroups:
+                - scheduling.k8s.io
+              resources:
+                - priorityclasses
+              verbs:
+                - create
+                - update
+                - delete
+                - list
+                - watch
+                - get
+          serviceAccountName: rbac-escalation-sa
+    strategy: deployment
+  installModes:
+    - supported: false
+      type: OwnNamespace
+    - supported: false
+      type: SingleNamespace
+    - supported: false
+      type: MultiNamespace
+    - supported: true
+      type: AllNamespaces
+  keywords:
+    - rbac-testing
+    - escalation
+  links:
+    - name: RBAC Escalation Operator
+      url: https://github.com/operator-framework/operator-controller
+  maintainers:
+    - email: dev@operatorframework.io
+      name: OLM Team
+  maturity: alpha
+  provider:
+    name: Operator Framework
+    url: https://operatorframework.io
+  version: 1.0.0
diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml
@@ -0,0 +1,7 @@
+annotations:
+  operators.operatorframework.io.bundle.channel.default.v1: stable
+  operators.operatorframework.io.bundle.channels.v1: stable
+  operators.operatorframework.io.bundle.manifests.v1: manifests/
+  operators.operatorframework.io.bundle.mediatype.v1: registry+v1
+  operators.operatorframework.io.bundle.metadata.v1: metadata/
+  operators.operatorframework.io.bundle.package.v1: rbac-escalation-operator
diff --git a/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml b/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml
@@ -159,3 +159,23 @@ properties:
     value:
       packageName: single-namespace-operator
       version: 1.0.0
+---
+schema: olm.package
+name: rbac-escalation-operator
+defaultChannel: stable
+---
+schema: olm.channel
+name: stable
+package: rbac-escalation-operator
+entries:
+  - name: rbac-escalation-operator.1.0.0
+---
+schema: olm.bundle
+name: rbac-escalation-operator.1.0.0
+package: rbac-escalation-operator
+image: docker-registry.operator-controller-e2e.svc.cluster.local:5000/bundles/registry-v1/rbac-escalation-operator:v1.0.0
+properties:
+  - type: olm.package
+    value:
+      packageName: rbac-escalation-operator
+      version: 1.0.0