Skip to content

✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations #2429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 6 commits into from
Jan 13, 2026
Merged

✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations #2429

openshift-merge-bot merged 6 commits into from
Jan 13, 2026

Conversation

@camilamacedo86
Copy link
Contributor

@camilamacedo86 camilamacedo86 commented Jan 6, 2026
edited
Loading

What's New

When BoxcutterRuntime is enabled, OLM v1 now correctly uses the ServiceAccount you specify in your ClusterExtension to install and manage extensions. This ensures your extensions are installed with only the permissions you grant, not admin privileges.

What This Means for You

More Control:

  • Extensions can only create resources that the ServiceAccount is allowed to create
  • If an extension tries to create something without permission, it fails immediately with a clear error
  • You see exactly which ServiceAccount performed each action in audit logs

Better Security:

  • Extensions no longer bypass RBAC during installation
  • Each extension limited to its ServiceAccount's permissions
  • No more admin-level access by default

Example

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-installer
  namespace: my-app
---
apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: my-extension
spec:
  namespace: my-app
  serviceAccount:
    name: my-installer  # ← Your extension uses this SA's permissions
  source:
    sourceType: Catalog
    catalog:
      packageName: my-package

What happens: OLM installs the extension using my-installer ServiceAccount. The extension can only do what you've granted that ServiceAccount permission to do.

Copilot AI review requested due to automatic review settings January 6, 2026 17:22
@camilamacedo86 camilamacedo86 requested a review from a team as a code owner January 6, 2026 17:22
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 6, 2026
@openshift-ci openshift-ci bot requested review from grokspawn and oceanc80 January 6, 2026 17:22
@netlify
Copy link

netlify bot commented Jan 6, 2026
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 070c7d2
🔍 Latest deploy log https://app.netlify.com/projects/olmv1/deploys/696662b3d6fcd900085ee8ab
😎 Deploy Preview https://deploy-preview-2429--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

This comment was marked as outdated.

Sign in to view

Copilot AI review requested due to automatic review settings January 6, 2026 18:41
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@camilamacedo86 camilamacedo86 changed the title WIP: (feat): [Boxcutter] Use serviceAccount for ClusterExtensionRevision operations ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount Jan 6, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 6, 2026
@camilamacedo86 camilamacedo86 changed the title ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount WIP ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount Jan 6, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 6, 2026
Copilot AI reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
Copilot AI review requested due to automatic review settings January 7, 2026 11:32
@camilamacedo86 camilamacedo86 changed the title WIP ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount Jan 7, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 7, 2026
Copilot AI review requested due to automatic review settings January 8, 2026 17:59
Copilot AI reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@camilamacedo86 camilamacedo86 requested a review from pedjak January 8, 2026 18:08
@camilamacedo86
Copy link
Contributor Author

camilamacedo86 commented Jan 12, 2026

Hi @pedjak and @perdasilva

Could we move with this one?
That is anyway just a step towards the end goal.
I think the goal that we want to achieve here is done.

Now we are restricting the permissions for OLMv1 based on the SA provided for Boxcutter as we do for Helm applier.
WDYT?

@camilamacedo86
(feat): [Boxcutter] Use ClusterExtension ServiceAccount for revision …
6fe7c3c 
…operations

Implement serviceAccount-scoped token-based authentication for
ClusterExtensionRevision controller using annotation-based configuration.

- Add RevisionEngineFactory with CreateRevisionEngine(ctx, rev) interface
- Read ServiceAccount from annotations (no ClusterExtension dependency)
- Token-based auth using TokenInjectingRoundTripper
- ServiceAccount name and namespace in annotations for observability
- TrackingCache uses global client for caching/cleanup
- Comprehensive error path tests

ClusterExtensionRevision can exist independently.
Easy mode impersonation deferred until API is finalized.

Assisted-by: Cursor
@camilamacedo86
(doc) Add godoc comments to label constants
e5d8e94 
Adds documentation comments to all label/annotation constants explaining:
- What each constant represents
- Where they are applied (labels vs annotations)
- ServiceAccount constants document their relationship to ClusterExtension spec

Addresses code review feedback for improved maintainability.
@camilamacedo86
(fix) Add ClusterExtensionRevision permissions to upgrade test RBAC
b38c391 
The upgrade test ServiceAccount needs permissions to manage
ClusterExtensionRevisions when BoxcutterRuntime is enabled.
Without these permissions, the upgraded controller cannot create
or update ClusterExtensionRevision resources, causing the
ClusterExtension to fail reconciliation after upgrade.
@camilamacedo86
review changes
a9338e6
Copilot AI review requested due to automatic review settings January 12, 2026 15:24
Copilot AI reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@camilamacedo86
(fix): e2e: add bind/escalate verbs for Boxcutter Server-Side Apply
092099c 
Add `bind` and `escalate` RBAC verbs to e2e test ServiceAccount to support
Boxcutter applier's use of Kubernetes Server-Side Apply (SSA).

Experimental e2e tests fail when Boxcutter uses ServiceAccount-scoped clients
to apply bundle RBAC resources (ClusterRoles and ClusterRoleBindings):

```
clusterrolebindings.rbac.authorization.k8s.io is forbidden:
User "system:serviceaccount:olmv1-e2e:olm-sa" cannot bind ClusterRole:
RBAC: attempting to grant RBAC permissions not currently held
```

- Uses helm.sh/helm/v3 library
- Applies resources with traditional CREATE/UPDATE operations
- Kubernetes RBAC allows ClusterRoleBinding creation when the ServiceAccount
  already has all the permissions being granted (permission matching)
- **Works WITHOUT `bind`/`escalate` verbs** ✅

- Uses pkg.package-operator.run/boxcutter machinery
- Applies resources with **Server-Side Apply (SSA)** (`client.Apply`)
- SSA enforces field-level ownership and **stricter RBAC enforcement**
- Kubernetes API server **requires explicit `bind` verb** for ClusterRoleBindings
- Permission matching fallback does NOT work reliably with SSA
- **REQUIRES `bind`/`escalate` verbs** ❌

Validated by running actual tests:

**Test 1: Main branch standard-e2e (Helm, NO bind/escalate)**
```bash
make test-e2e
```
Result: ✅ PASS (21 scenarios passed)

**Test 2: PR branch experimental-e2e (Boxcutter, NO bind/escalate)**
```bash
make test-experimental-e2e
```
Result: ❌ FAIL (cannot bind ClusterRole error)

**Test 3: PR branch experimental-e2e (Boxcutter, WITH bind/escalate)**
Result: ✅ PASS (all tests pass)

Add `bind` and `escalate` verbs to the e2e test RBAC template:

```yaml
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: [clusterroles, roles, clusterrolebindings, rolebindings]
  verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ]
```

These verbs allow the ServiceAccount to:
- `bind`: Create ClusterRoleBindings that reference roles with permissions
  the ServiceAccount doesn't have
- `escalate`: Create ClusterRoles with permissions the ServiceAccount doesn't have

This is the documented requirement in `docs/concepts/permission-model.md` for
extension installers and aligns with Kubernetes RBAC best practices.

1. **Required for SSA**: Server-Side Apply has stricter RBAC enforcement
2. **Documented requirement**: OLMv1 docs specify bind/escalate as proper approach
3. **Industry best practice**: Operator installers should have these verbs
4. **Supports all operators**: Not just test-operator with matching permissions
5. **Maintains SSA benefits**: Field ownership, conflict resolution, GitOps support

- Kubernetes RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping
- OLMv1 Permission Model: docs/concepts/permission-model.md
- Boxcutter machinery: pkg.package-operator.run/boxcutter/machinery (uses client.Apply)
- Testing evidence: FINAL_TESTED_ANSWER.md, SERVER_SIDE_APPLY_ANSWER.md

Tested-by: Actual e2e test runs comparing Helm vs Boxcutter behavior
Signed-off-by: Camila <[email protected]>
Copilot AI review requested due to automatic review settings January 13, 2026 12:22
Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Split rbac phase into two
070c7d2 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Copy link
Contributor

perdasilva commented Jan 13, 2026

/approve

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 13, 2026
pedjak
pedjak approved these changes Jan 13, 2026
View reviewed changes
Copy link
Contributor

@pedjak pedjak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 13, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 13, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pedjak, perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 049f813 into operator-framework:main Jan 13, 2026
29 checks passed
@camilamacedo86 camilamacedo86 deleted the admin-install branch January 13, 2026 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pedjak pedjak pedjak approved these changes

@grokspawn grokspawn Awaiting requested review from grokspawn

@oceanc80 oceanc80 Awaiting requested review from oceanc80

@perdasilva perdasilva Awaiting requested review from perdasilva

Assignees

@pedjak pedjak

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@camilamacedo86 @perdasilva @pedjak