⚠ Single-tenant simplification: remove deprecated features and simplify operator model

Implement the single-tenant simplification design to re-affirm OLM v1's
cluster-admin-only operational model.

Changes across work items:
- 01-cluster-admin: Grant operator-controller cluster-admin ClusterRole
  (remove custom RBAC rules)
- 02-deprecate-service-account: Mark spec.serviceAccount as deprecated
  and optional; remove from docs/examples/tooling
- 03-remove-preflight-permissions: Remove PreflightPermissions feature
  gate and RBAC pre-authorization code
- 04-remove-synthetic-permissions: Remove SyntheticPermissions feature
  gate and synthetic user/group authentication
- 05-remove-single-own-namespace: Remove SingleOwnNamespaceInstallSupport
  feature gate, watchNamespace config, and own-namespace test fixtures
- 07-simplify-contentmanager: Remove per-extension REST config and use
  shared manager client for content management
- 09-documentation: Resolve merge conflicts, add cleanup tracking

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: joelanford

api/v1/clusterextension_types.go

@@ -66,14 +66,14 @@ type ClusterExtensionSpec struct {
 	// +required
 	Namespace string `json:"namespace"`
 
-	// serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster
-	// that are required to manage the extension.
-	// The ServiceAccount must be configured with the necessary permissions to perform these interactions.
-	// The ServiceAccount must exist in the namespace referenced in the spec.
-	// The serviceAccount field is required.
+	// serviceAccount was previously used to specify a ServiceAccount for managing the extension.
+	// This field is now deprecated and ignored. operator-controller uses its own ServiceAccount
+	// for all Kubernetes API interactions.
 	//
-	// +required
-	ServiceAccount ServiceAccountReference `json:"serviceAccount"`
+	// Deprecated: This field is ignored. It will be removed in a future API version.
+	//
+	// +optional
+	ServiceAccount ServiceAccountReference `json:"serviceAccount,omitzero"`
 
 	// source is required and selects the installation source of content for this ClusterExtension.
 	// Set the sourceType field to perform the selection.
@@ -376,7 +376,10 @@ type CatalogFilter struct {
 	UpgradeConstraintPolicy UpgradeConstraintPolicy `json:"upgradeConstraintPolicy,omitempty"`
 }
 
-// ServiceAccountReference identifies the serviceAccount used fo install a ClusterExtension.
+// ServiceAccountReference identifies the serviceAccount used to install a ClusterExtension.
+//
+// Deprecated: This type is deprecated and will be removed in a future API version.
+// operator-controller now uses its own ServiceAccount for all operations.
 type ServiceAccountReference struct {
 	// name is a required, immutable reference to the name of the ServiceAccount used for installation
 	// and management of the content for the package specified in the packageName field.
@@ -549,6 +552,10 @@ type ClusterExtensionInstallStatus struct {
 // +kubebuilder:printcolumn:name=Age,type=date,JSONPath=`.metadata.creationTimestamp`
 
 // ClusterExtension is the Schema for the clusterextensions API
+//
+// WARNING: This is a cluster-admin-only API. Creating a ClusterExtension instructs
+// operator-controller to install arbitrary workloads and RBAC, which is equivalent to
+// cluster-admin privileges. Only cluster administrators should have write access to this resource.
 type ClusterExtension struct {
 	metav1.TypeMeta `json:",inline"`
 

api/v1/validation_test.go

@@ -23,9 +23,6 @@ func TestValidate(t *testing.T) {
 	}
 	defaultExtensionSpec := func(s *ClusterExtensionSpec) *ClusterExtensionSpec {
 		s.Namespace = "ns"
-		s.ServiceAccount = ServiceAccountReference{
-			Name: "sa",
-		}
 		s.Source = SourceConfig{
 			SourceType: SourceTypeCatalog,
 			Catalog: &CatalogFilter{

applyconfigurations/api/v1/clusterextensionspec.go

@@ -59,7 +59,6 @@ import (
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/action"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/authentication"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/client"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager"
@@ -474,11 +473,10 @@ func run() error {
 
 	certProvider := getCertificateProvider()
 	regv1ManifestProvider := &applier.RegistryV1ManifestProvider{
-		BundleRenderer:              registryv1.Renderer,
-		CertificateProvider:         certProvider,
-		IsWebhookSupportEnabled:     certProvider != nil,
-		IsSingleOwnNamespaceEnabled: features.OperatorControllerFeatureGate.Enabled(features.SingleOwnNamespaceInstallSupport),
-		IsDeploymentConfigEnabled:   features.OperatorControllerFeatureGate.Enabled(features.DeploymentConfig),
+		BundleRenderer:            registryv1.Renderer,
+		CertificateProvider:       certProvider,
+		IsWebhookSupportEnabled:   certProvider != nil,
+		IsDeploymentConfigEnabled: features.OperatorControllerFeatureGate.Enabled(features.DeploymentConfig),
 	}
 	var cerCfg reconcilerConfigurator
 	if features.OperatorControllerFeatureGate.Enabled(features.BoxcutterRuntime) {
@@ -622,9 +620,6 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 	}
 	ceReconciler.ReconcileSteps = []controllers.ReconcileStepFunc{
 		controllers.HandleFinalizers(c.finalizers),
-		controllers.ValidateClusterExtension(
-			controllers.ServiceAccountValidator(coreClient),
-		),
 		controllers.MigrateStorage(storageMigrator),
 		controllers.RetrieveRevisionStates(revisionStatesGetter),
 		controllers.ResolveBundle(c.resolver, c.mgr.GetClient()),
@@ -654,29 +649,19 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 		return fmt.Errorf("unable to add tracking cache to manager: %v", err)
 	}
 
-	cerCoreClient, err := corev1client.NewForConfig(c.mgr.GetConfig())
-	if err != nil {
-		return fmt.Errorf("unable to create client for ClusterExtensionRevision controller: %w", err)
-	}
-	cerTokenGetter := authentication.NewTokenGetter(cerCoreClient, authentication.WithExpirationDuration(1*time.Hour))
-
-	revisionEngineFactory, err := controllers.NewDefaultRevisionEngineFactory(
+	revisionEngine := controllers.NewRevisionEngine(
 		c.mgr.GetScheme(),
 		trackingCache,
 		discoveryClient,
 		c.mgr.GetRESTMapper(),
 		fieldOwnerPrefix,
-		c.mgr.GetConfig(),
-		cerTokenGetter,
+		c.mgr.GetClient(),
 	)
-	if err != nil {
-		return fmt.Errorf("unable to create revision engine factory: %w", err)
-	}
 
 	if err = (&controllers.ClusterExtensionRevisionReconciler{
-		Client:                c.mgr.GetClient(),
-		RevisionEngineFactory: revisionEngineFactory,
-		TrackingCache:         trackingCache,
+		Client:         c.mgr.GetClient(),
+		RevisionEngine: revisionEngine,
+		TrackingCache:  trackingCache,
 	}).SetupWithManager(c.mgr); err != nil {
 		return fmt.Errorf("unable to setup ClusterExtensionRevision controller: %w", err)
 	}
@@ -688,19 +673,13 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 	if err != nil {
 		return fmt.Errorf("unable to create core client: %w", err)
 	}
-	tokenGetter := authentication.NewTokenGetter(coreClient, authentication.WithExpirationDuration(1*time.Hour))
-	clientRestConfigMapper := action.ServiceAccountRestConfigMapper(tokenGetter)
-	if features.OperatorControllerFeatureGate.Enabled(features.SyntheticPermissions) {
-		clientRestConfigMapper = action.SyntheticUserRestConfigMapper(clientRestConfigMapper)
-	}
 
 	cfgGetter, err := helmclient.NewActionConfigGetter(c.mgr.GetConfig(), c.mgr.GetRESTMapper(),
 		helmclient.StorageDriverMapper(action.ChunkedStorageDriverMapper(coreClient, c.mgr.GetAPIReader(), cfg.systemNamespace)),
 		helmclient.ClientNamespaceMapper(func(obj client.Object) (string, error) {
 			ext := obj.(*ocv1.ClusterExtension)
 			return ext.Spec.Namespace, nil
 		}),
-		helmclient.ClientRestConfigMapper(clientRestConfigMapper),
 	)
 	if err != nil {
 		return fmt.Errorf("unable to create helm action config getter: %w", err)
@@ -713,11 +692,14 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 		return fmt.Errorf("unable to create helm action client getter: %w", err)
 	}
 
-	cm := contentmanager.NewManager(clientRestConfigMapper, c.mgr.GetConfig(), c.mgr.GetRESTMapper())
+	cm, err := contentmanager.NewManager(c.mgr.GetConfig(), c.mgr.GetRESTMapper())
+	if err != nil {
+		setupLog.Error(err, "unable to create content manager")
+		return err
+	}
 	err = c.finalizers.Register(controllers.ClusterExtensionCleanupContentManagerCacheFinalizer, finalizers.FinalizerFunc(func(ctx context.Context, obj client.Object) (crfinalizer.Result, error) {
-		ext := obj.(*ocv1.ClusterExtension)
-		err := cm.Delete(ext)
-		return crfinalizer.Result{}, err
+		cm.Delete(ctx, obj.GetName())
+		return crfinalizer.Result{}, nil
 	}))
 	if err != nil {
 		setupLog.Error(err, "unable to register content manager cleanup finalizer")
@@ -737,9 +719,6 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 	revisionStatesGetter := &controllers.HelmRevisionStatesGetter{ActionClientGetter: acg}
 	ceReconciler.ReconcileSteps = []controllers.ReconcileStepFunc{
 		controllers.HandleFinalizers(c.finalizers),
-		controllers.ValidateClusterExtension(
-			controllers.ServiceAccountValidator(coreClient),
-		),
 		controllers.RetrieveRevisionStates(revisionStatesGetter),
 		controllers.ResolveBundle(c.resolver, c.mgr.GetClient()),
 		controllers.UnpackBundle(c.imagePuller, c.imageCache),