openshift-docs/modules/olm-operatorgroups-rbac.adoc

// Module included in the following assemblies:
//
// * operators/understanding/olm/olm-understanding-operatorgroups.adoc

[id="olm-operatorgroups-rbac_{context}"]
= Role-based access control

When an OperatorGroup is created, three ClusterRoles are generated. Each
contains a single AggregationRule with a ClusterRoleSelector set to match a
label, as shown below:

[cols="1,1",options="header"]
|===
|ClusterRole |Label to match

|`<operatorgroup_name>-admin`
|`olm.opgroup.permissions/aggregate-to-admin: <operatorgroup_name>`

|`<operatorgroup_name>-edit`
|`olm.opgroup.permissions/aggregate-to-edit: <operatorgroup_name>`

|`<operatorgroup_name>-view`
|`olm.opgroup.permissions/aggregate-to-view: <operatorgroup_name>`
|===

The following RBAC resources are generated when a CSV becomes an active member of an OperatorGroup, as long as the CSV is watching all namespaces with the `AllNamespaces` InstallMode and is not in a failed state with reason `InterOperatorGroupOwnerConflict`.

* ClusterRoles for each API resource from a CRD
* ClusterRoles for each API resource from an APIService
* Additional Roles and RoleBindings

[id="olm-resources-per-api-resource-crd_{context}"]
.ClusterRoles generated for each API resource from a CRD
[cols="1,1a",options="header"]
|===
|ClusterRole |Settings

|`<kind>.<group>-<version>-admin`
|Verbs on `<kind>`:

* `*`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-admin: true`
* `olm.opgroup.permissions/aggregate-to-admin: <operatorgroup_name>`

|`<kind>.<group>-<version>-edit`
|Verbs on `<kind>`:

* `create`
* `update`
* `patch`
* `delete`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-edit: true`
* `olm.opgroup.permissions/aggregate-to-edit: <operatorgroup_name>`

|`<kind>.<group>-<version>-view`
|Verbs on `<kind>`:

* `get`
* `list`
* `watch`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-view: true`
* `olm.opgroup.permissions/aggregate-to-view: <operatorgroup_name>`

|`<kind>.<group>-<version>-view-crdview`
|Verbs on `apiextensions.k8s.io` `customresourcedefinitions` `<crd-name>`:

* `get`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-view: true`
*  `olm.opgroup.permissions/aggregate-to-view: <operatorgroup_name>`

|===

[id="olm-resources-per-api-resource-api_{context}"]
.ClusterRoles generated for each API resource from an APIService
[cols="1,1a",options="header"]
|===
|ClusterRole |Settings

|`<kind>.<group>-<version>-admin`
|Verbs on `<kind>`:

* `*`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-admin: true`
* `olm.opgroup.permissions/aggregate-to-admin: <operatorgroup_name>`

|`<kind>.<group>-<version>-edit`
|Verbs on `<kind>`:

* `create`
* `update`
* `patch`
* `delete`

Aggregation labels:

 * `rbac.authorization.k8s.io/aggregate-to-edit: true`
 * `olm.opgroup.permissions/aggregate-to-edit: <operatorgroup_name>`

|`<kind>.<group>-<version>-view`
|Verbs on `<kind>`:

* `get`
* `list`
* `watch`

Aggregation labels:

* `rbac.authorization.k8s.io/aggregate-to-view: true`
* `olm.opgroup.permissions/aggregate-to-view: <operatorgroup_name>`

|===

[id="olm-resources-additional-roles-rolebindings_{context}"]
.Additional Roles and RoleBindings
* If the CSV defines exactly one target namespace that contains `*`, then a
ClusterRole and corresponding ClusterRoleBinding are generated for each
permission defined in the CSV's permissions field. All resources generated are
given the `olm.owner: <csv_name>` and `olm.owner.namespace: <csv_namespace>`
labels.
* If the CSV does _not_ define exactly one target namespace that contains `*`,
then all Roles and RoleBindings in the Operator namespace with the
`olm.owner: <csv_name>` and `olm.owner.namespace: <csv_namespace>` labels are
copied into the target namespace.