openshift-docs/modules/olm-policy-fine-grained-permissions.adoc

// Module included in the following assemblies:
//
// * operators/admin/olm-creating-policy.adoc

:_mod-docs-content-type: REFERENCE
[id="olm-policy-fine-grained-permissions_{context}"]
= Fine-grained permissions

Operator Lifecycle Manager (OLM) uses the service account specified in an Operator group to create or update the following resources related to the Operator being installed:

* `ClusterServiceVersion`
* `Subscription`
* `Secret`
* `ServiceAccount`
* `Service`
* `ClusterRole` and `ClusterRoleBinding`
* `Role` and `RoleBinding`

To confine Operators to a designated namespace, cluster administrators can start by granting the following permissions to the service account:

[NOTE]
====
The following role is a generic example and additional rules might be required based on the specific Operator.
====

[source,yaml]
----
kind: Role
rules:
- apiGroups: ["operators.coreos.com"]
  resources: ["subscriptions", "clusterserviceversions"]
  verbs: ["get", "create", "update", "patch"]
- apiGroups: [""]
  resources: ["services", "serviceaccounts"]
  verbs: ["get", "create", "update", "patch"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["get", "create", "update", "patch"]
- apiGroups: ["apps"] <1>
  resources: ["deployments"]
  verbs: ["list", "watch", "get", "create", "update", "patch", "delete"]
- apiGroups: [""] <1>
  resources: ["pods"]
  verbs: ["list", "watch", "get", "create", "update", "patch", "delete"]
----
<1> Add permissions to create other resources, such as deployments and pods shown here.

In addition, if any Operator specifies a pull secret, the following permissions must also be added:

[source,yaml,subs="+macros"]
----
kind: ClusterRole <1>
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
++---++
kind: Role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "update", "patch"]
----
<1> Required to get the secret from the OLM namespace.