openshift-docs/modules/olm-operatorgroups-rbac.adoc

// Module included in the following assemblies:
//
// * operators/understanding/olm/olm-understanding-operatorgroups.adoc

[id="olm-operatorgroups-rbac_{context}"]
= Role-based access control

When an Operator group is created, three cluster roles are generated. Each contains a single aggregation rule with a cluster role selector set to match a label, as shown below:

[cols="1,1",options="header"]
|===
|Cluster role |Label to match

|`<operatorgroup_name>-admin`
|`olm.opgroup.permissions/aggregate-to-admin: <operatorgroup_name>`

|`<operatorgroup_name>-edit`
|`olm.opgroup.permissions/aggregate-to-edit: <operatorgroup_name>`

|`<operatorgroup_name>-view`
|`olm.opgroup.permissions/aggregate-to-view: <operatorgroup_name>`
|===

The following RBAC resources are generated when a CSV becomes an active member of an Operator group, as long as the CSV is watching all namespaces with the `AllNamespaces` install mode and is not in a failed state with reason `InterOperatorGroupOwnerConflict`:

* Cluster roles for each API resource from a CRD
* Cluster roles for each API resource from an API service
* Additional roles and role bindings

[id="olm-resources-per-api-resource-crd_{context}"]
.Cluster roles generated for each API resource from a CRD
[cols="1,1a",options="header"]
|===
|Cluster role |Settings

|`<kind>.<group>-<version>-admin`
|Verbs on `<kind>`:

* `*`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-admin: true`
* `olm.opgroup.permissions/aggregate-to-admin: <operatorgroup_name>`

|`<kind>.<group>-<version>-edit`
|Verbs on `<kind>`:

* `create`
* `update`
* `patch`
* `delete`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-edit: true`
* `olm.opgroup.permissions/aggregate-to-edit: <operatorgroup_name>`

|`<kind>.<group>-<version>-view`
|Verbs on `<kind>`:

* `get`
* `list`
* `watch`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-view: true`
* `olm.opgroup.permissions/aggregate-to-view: <operatorgroup_name>`

|`<kind>.<group>-<version>-view-crdview`
|Verbs on `apiextensions.k8s.io` `customresourcedefinitions` `<crd-name>`:

* `get`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-view: true`
*  `olm.opgroup.permissions/aggregate-to-view: <operatorgroup_name>`

|===

[id="olm-resources-per-api-resource-api_{context}"]
.Cluster roles generated for each API resource from an API service
[cols="1,1a",options="header"]
|===
|Cluster role |Settings

|`<kind>.<group>-<version>-admin`
|Verbs on `<kind>`:

* `*`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-admin: true`
* `olm.opgroup.permissions/aggregate-to-admin: <operatorgroup_name>`

|`<kind>.<group>-<version>-edit`
|Verbs on `<kind>`:

* `create`
* `update`
* `patch`
* `delete`

Aggregation labels:

 * `rbac.authorization.k8s.io/aggregate-to-edit: true`
 * `olm.opgroup.permissions/aggregate-to-edit: <operatorgroup_name>`

|`<kind>.<group>-<version>-view`
|Verbs on `<kind>`:

* `get`
* `list`
* `watch`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-view: true`
* `olm.opgroup.permissions/aggregate-to-view: <operatorgroup_name>`

|===

[id="olm-resources-additional-roles-rolebindings_{context}"]
.Additional roles and role bindings
* If the CSV defines exactly one target namespace that contains `*`, then a cluster role and corresponding cluster role binding are generated for each permission defined in the `permissions` field of the CSV. All resources generated are given the `olm.owner: <csv_name>` and `olm.owner.namespace: <csv_namespace>` labels.
* If the CSV does _not_ define exactly one target namespace that contains `*`, then all roles and role bindings in the Operator namespace with the `olm.owner: <csv_name>` and `olm.owner.namespace: <csv_namespace>` labels are copied into the target namespace.