From 778644cafed5abe89bb8aa335deb91a8f368bb0a Mon Sep 17 00:00:00 2001 From: "Per G. da Silva" Date: Wed, 18 Feb 2026 16:16:45 +0100 Subject: [PATCH] Replace cluster-admin with least-privilege RBAC for BoxcutterRuntime The operator-controller service account was bound to the cluster-admin ClusterRole when the BoxcutterRuntime feature gate was enabled. Replace this with explicit, scoped RBAC rules in the operator-controller-manager-role ClusterRole: - list+watch on all API groups and resources (*/*), required for the boxcutter runtime to set up informers for arbitrary resource types defined in ClusterExtensionRevision phases - Full CRUD (create, get, list, patch, update, watch) on clusterextensionrevisions - patch+update on clusterextensionrevisions/status - update on clusterextensionrevisions/finalizers The ClusterRoleBinding now always references operator-controller-manager-role regardless of whether BoxcutterRuntime is enabled, removing the conditional cluster-admin binding. Static manifests (experimental.yaml and experimental-e2e.yaml) are updated to match. Signed-off-by: Per G. da Silva Co-Authored-By: Claude Opus 4.6 --- ...rrole-operator-controller-manager-role.yml | 33 +++++++++++++++++++ ...perator-controller-manager-rolebinding.yml | 4 --- manifests/experimental-e2e.yaml | 33 ++++++++++++++++++- manifests/experimental.yaml | 33 ++++++++++++++++++- 4 files changed, 97 insertions(+), 6 deletions(-) diff --git a/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml b/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml index 84f221003c..2049532be6 100644 --- a/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml +++ b/helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml @@ -72,4 +72,37 @@ rules: verbs: - use {{- end }} + {{- if has "BoxcutterRuntime" .Values.options.operatorController.features.enabled }} + - apiGroups: + - "*" + resources: + - "*" + verbs: + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensionrevisions + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensionrevisions/status + verbs: + - patch + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensionrevisions/finalizers + verbs: + - update + {{- end }} {{- end }} diff --git a/helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml b/helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml index 9817337dff..5d1beeb57c 100644 --- a/helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml +++ b/helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml @@ -16,11 +16,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole -{{- if has "BoxcutterRuntime" .Values.options.operatorController.features.enabled }} - name: cluster-admin -{{- else }} name: operator-controller-manager-role -{{- end }} subjects: - kind: ServiceAccount name: operator-controller-controller-manager diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index eb72fb01f6..c6e370cda0 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1824,6 +1824,37 @@ rules: verbs: - list - watch + - apiGroups: + - "*" + resources: + - "*" + verbs: + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensionrevisions + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensionrevisions/status + verbs: + - patch + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensionrevisions/finalizers + verbs: + - update --- # Source: olmv1/templates/rbac/clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 @@ -1895,7 +1926,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: operator-controller-manager-role subjects: - kind: ServiceAccount name: operator-controller-controller-manager diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 6cb9b18485..46ca67c91b 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1785,6 +1785,37 @@ rules: verbs: - list - watch + - apiGroups: + - "*" + resources: + - "*" + verbs: + - list + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensionrevisions + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensionrevisions/status + verbs: + - patch + - update + - apiGroups: + - olm.operatorframework.io + resources: + - clusterextensionrevisions/finalizers + verbs: + - update --- # Source: olmv1/templates/rbac/clusterrolebinding-catalogd-manager-rolebinding.yml apiVersion: rbac.authorization.k8s.io/v1 @@ -1856,7 +1887,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: operator-controller-manager-role subjects: - kind: ServiceAccount name: operator-controller-controller-manager