// Module included in the following assemblies:
//
// * extensions/ce/managing-ce.adoc

:_mod-docs-content-type: REFERENCE

[id="olmv1-required-rbac-to-install-and-manage-extension-resources_{context}"]
= Required permissions to install and manage a cluster extension

You must inspect the manifests included in the bundle image of a cluster extension to assign the necessary permissions. The service account requires enough role-based access controls (RBAC) to create and manage the following resources.

[IMPORTANT]
====
Follow the principle of least privilege and scope permissions to specific resource names with the least RBAC required to run.
====

Admission plugins:: Because {product-title} clusters use the `OwnerReferencesPermissionEnforcement` admission plugin, cluster extensions must have permissions to update the `blockOwnerDeletion` and `ownerReferences` finalizers.

Cluster role and cluster role bindings for the controllers of the extension:: You must define RBAC so that the installation service account can create and manage cluster roles and cluster role bindings for the extension controllers.

Cluster service version (CSV):: You must define RBAC for the resources defined in the CSV of the cluster extension.

Cluster-scoped bundle resources:: You must define RBAC to create and manage any cluster-scoped resources included in the bundle. If the cluster-scoped resources matches another resource type, such as a `ClusterRole`, you can add the resource to the pre-existing rule under the `resources` or `resourceNames` field.

Custom resource definitions (CRDs):: You must define RBAC so that the installation service account can create and manage the CRDs for the extension. Also, you must grant the service account for the controller of the extension the RBAC to manage its CRDs.

Deployments:: You must define RBAC for the installation service account to create and manage the deployments needed by the extension controller, such as services and config maps.

Extension permissions:: You must include RBAC for the permissions and cluster permissions defined in the CSV. The installation service account needs the ability to grant these permissions to the extension controller, which needs these permissions to run.

Namespace-scoped bundle resources:: You must define RBAC for any namespace-scoped bundle resources. The installation service account requires permission to create and manage resources, such as config maps or services.

Roles and role bindings:: You must define RBAC for any roles or role bindings defined in the CSV. The installation service account needs permission to create and manage those roles and role bindings.

// I am deleting the secrets section because I think it covered under the "extension permissions" term. Please let me know if I should put it back and if you have a suggestion for the definition.

Service accounts:: You must define RBAC so that the installation service account can create and manage the service accounts for the extension controllers.