add create verb to boxcutter preflight

Author: kuiwang02

cmd/operator-controller/main.go

@@ -743,7 +743,6 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 			c.mgr.GetClient(),
 			// Additional verbs / bundle manifest that are expected by the content manager to watch those resources
 			authorization.WithClusterCollectionVerbs("list", "watch"),
-			authorization.WithNamespacedCollectionVerbs("create"),
 		)
 	}
 

internal/operator-controller/authorization/rbac.go

@@ -57,7 +57,7 @@ type ScopedPolicyRules struct {
 	MissingRules []rbacv1.PolicyRule
 }
 
-var objectVerbs = []string{"get", "patch", "update", "delete"}
+var objectVerbs = []string{"get", "patch", "update", "delete", "create"}
 
 type RBACPreAuthorizerOption func(*rbacPreAuthorizer)
 
@@ -69,7 +69,7 @@ func WithClusterCollectionVerbs(verbs ...string) RBACPreAuthorizerOption {
 	}
 }
 
-// WithNamespacedCollectionVerbs configures namespaced collection verbs (e.g. create)
+// WithNamespacedCollectionVerbs configures additional namespaced collection verbs
 // that are checked for each unique namespace across all objects in a GVR.
 func WithNamespacedCollectionVerbs(verbs ...string) RBACPreAuthorizerOption {
 	return func(a *rbacPreAuthorizer) {
@@ -342,7 +342,7 @@ func (dm *decodedManifest) rbacObjects() []client.Object {
 
 func (dm *decodedManifest) asAuthorizationAttributesRecordsForUser(manifestManager user.Info, clusterCollectionVerbs, namespacedCollectionVerbs []string) []authorizer.AttributesRecord {
 	// Calculate initial capacity as an upper-bound estimate:
-	// - For each key: len(objectVerbs) records (4)
+	// - For each key: len(objectVerbs) records (5)
 	// - For unique namespaces: len(namespacedCollectionVerbs) records (1 per unique namespace across all keys in a GVR)
 	//   We use totalKeys as upper bound (worst case: each key in different namespace)
 	// - For each GVR: len(clusterCollectionVerbs) records (2)
@@ -357,7 +357,7 @@ func (dm *decodedManifest) asAuthorizationAttributesRecordsForUser(manifestManag
 		namespaces := sets.New[string]()
 		for _, k := range keys {
 			namespaces.Insert(k.Namespace)
-			// generate records for object-specific verbs (get, update, patch, delete) in their respective namespaces
+			// generate records for object-specific verbs (get, update, patch, delete, create) in their respective namespaces
 			for _, v := range objectVerbs {
 				attributeRecords = append(attributeRecords, authorizer.AttributesRecord{
 					User:            manifestManager,
@@ -371,7 +371,7 @@ func (dm *decodedManifest) asAuthorizationAttributesRecordsForUser(manifestManag
 				})
 			}
 		}
-		// generate records for namespaced collection verbs (create) for each relevant namespace
+		// generate records for namespaced collection verbs for each relevant namespace
 		for _, ns := range sets.List(namespaces) {
 			for _, v := range namespacedCollectionVerbs {
 				attributeRecords = append(attributeRecords, authorizer.AttributesRecord{

internal/operator-controller/authorization/rbac_test.go

@@ -396,7 +396,7 @@ func setupFakeClient(role client.Object) client.Client {
 func TestPreAuthorize_Success(t *testing.T) {
 	t.Run("preauthorize succeeds with no missing rbac rules", func(t *testing.T) {
 		fakeClient := setupFakeClient(privilegedClusterRole)
-		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"), WithNamespacedCollectionVerbs("create"))
+		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"))
 		missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest))
 		require.NoError(t, err)
 		require.Equal(t, []ScopedPolicyRules{}, missingRules)
@@ -406,7 +406,7 @@ func TestPreAuthorize_Success(t *testing.T) {
 func TestPreAuthorize_MissingRBAC(t *testing.T) {
 	t.Run("preauthorize fails and finds missing rbac rules", func(t *testing.T) {
 		fakeClient := setupFakeClient(limitedClusterRole)
-		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"), WithNamespacedCollectionVerbs("create"))
+		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"))
 		missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest))
 		require.NoError(t, err)
 		require.Equal(t, expectedSingleNamespaceMissingRules, missingRules)
@@ -416,7 +416,7 @@ func TestPreAuthorize_MissingRBAC(t *testing.T) {
 func TestPreAuthorizeMultiNamespace_MissingRBAC(t *testing.T) {
 	t.Run("preauthorize fails and finds missing rbac rules in multiple namespaces", func(t *testing.T) {
 		fakeClient := setupFakeClient(limitedClusterRole)
-		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"), WithNamespacedCollectionVerbs("create"))
+		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"))
 		missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifestMultiNamespace))
 		require.NoError(t, err)
 		require.Equal(t, expectedMultiNamespaceMissingRules, missingRules)
@@ -426,7 +426,7 @@ func TestPreAuthorizeMultiNamespace_MissingRBAC(t *testing.T) {
 func TestPreAuthorize_CheckEscalation(t *testing.T) {
 	t.Run("preauthorize succeeds with no missing rbac rules", func(t *testing.T) {
 		fakeClient := setupFakeClient(escalatingClusterRole)
-		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"), WithNamespacedCollectionVerbs("create"))
+		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"))
 		missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest))
 		require.NoError(t, err)
 		require.Equal(t, []ScopedPolicyRules{}, missingRules)
@@ -436,7 +436,7 @@ func TestPreAuthorize_CheckEscalation(t *testing.T) {
 func TestPreAuthorize_AdditionalRequiredPerms_MissingRBAC(t *testing.T) {
 	t.Run("preauthorize fails and finds missing rbac rules coming from the additional required permissions", func(t *testing.T) {
 		fakeClient := setupFakeClient(escalatingClusterRole)
-		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"), WithNamespacedCollectionVerbs("create"))
+		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"))
 		missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest), func(user user.Info) []authorizer.AttributesRecord {
 			return []authorizer.AttributesRecord{
 				{
@@ -468,8 +468,8 @@ func TestPreAuthorize_AdditionalRequiredPerms_MissingRBAC(t *testing.T) {
 func TestPreAuthorize_WithClusterCollectionVerbs(t *testing.T) {
 	// expectedNamespacedMissingRules are the missing rules expected in the "test-namespace"
 	// namespace regardless of cluster collection verb configuration. These come from object
-	// verbs (get, patch, update, delete), namespaced collection verbs (create), and the
-	// escalation check for the role/rolebinding in the manifest.
+	// verbs (get, patch, update, delete, create) and the escalation check for the
+	// role/rolebinding in the manifest.
 	expectedNamespacedMissingRules := ScopedPolicyRules{
 		Namespace: "test-namespace",
 		MissingRules: []rbacv1.PolicyRule{
@@ -514,7 +514,7 @@ func TestPreAuthorize_WithClusterCollectionVerbs(t *testing.T) {
 
 	t.Run("no cluster collection verbs option omits cluster-scoped collection rules", func(t *testing.T) {
 		fakeClient := setupFakeClient(limitedClusterRole)
-		preAuth := NewRBACPreAuthorizer(fakeClient, WithNamespacedCollectionVerbs("create"))
+		preAuth := NewRBACPreAuthorizer(fakeClient)
 		missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest))
 		require.NoError(t, err)
 		// With no cluster collection verbs, there should be no cluster-scoped (namespace="") missing rules
@@ -557,7 +557,7 @@ func TestPreAuthorize_WithClusterCollectionVerbs(t *testing.T) {
 
 	t.Run("privileged user with no cluster collection verbs succeeds", func(t *testing.T) {
 		fakeClient := setupFakeClient(privilegedClusterRole)
-		preAuth := NewRBACPreAuthorizer(fakeClient, WithNamespacedCollectionVerbs("create"))
+		preAuth := NewRBACPreAuthorizer(fakeClient)
 		missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest))
 		require.NoError(t, err)
 		require.Equal(t, []ScopedPolicyRules{}, missingRules)
@@ -635,7 +635,7 @@ func TestPreAuthorize_WithNamespacedCollectionVerbs(t *testing.T) {
 
 	t.Run("namespaced collection verbs option checks those verbs per namespace", func(t *testing.T) {
 		fakeClient := setupFakeClient(limitedClusterRole)
-		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"), WithNamespacedCollectionVerbs("create", "deletecollection"))
+		preAuth := NewRBACPreAuthorizer(fakeClient, WithClusterCollectionVerbs("list", "watch"), WithNamespacedCollectionVerbs("deletecollection"))
 		missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest))
 		require.NoError(t, err)
 		// Should have cluster-scoped missing rules plus namespaced rules with both create and deletecollection.
@@ -689,7 +689,7 @@ func TestPreAuthorize_WithNamespacedCollectionVerbs(t *testing.T) {
 
 	t.Run("privileged user with custom namespaced collection verbs succeeds", func(t *testing.T) {
 		fakeClient := setupFakeClient(privilegedClusterRole)
-		preAuth := NewRBACPreAuthorizer(fakeClient, WithNamespacedCollectionVerbs("create", "deletecollection"))
+		preAuth := NewRBACPreAuthorizer(fakeClient, WithNamespacedCollectionVerbs("deletecollection"))
 		missingRules, err := preAuth.PreAuthorize(context.TODO(), testUser, strings.NewReader(testManifest))
 		require.NoError(t, err)
 		require.Equal(t, []ScopedPolicyRules{}, missingRules)

test/e2e/features/install.feature

@@ -535,3 +535,38 @@ Feature: Install ClusterExtension
             nodeSelector:
               kubernetes.io/os: linux
       """
+
+  @BoxcutterRuntime
+  @PreflightPermissions
+  Scenario: Boxcutter preflight check detects missing CREATE permissions
+    Given ServiceAccount "olm-sa" without create permissions is available in ${TEST_NAMESPACE}
+    And ClusterExtension is applied
+      """
+      apiVersion: olm.operatorframework.io/v1
+      kind: ClusterExtension
+      metadata:
+        name: ${NAME}
+      spec:
+        namespace: ${TEST_NAMESPACE}
+        serviceAccount:
+          name: olm-sa
+        source:
+          sourceType: Catalog
+          catalog:
+            packageName: test
+            selector:
+              matchLabels:
+                "olm.operatorframework.io/metadata.name": test-catalog
+      """
+    And ClusterExtension reports Progressing as True with Reason Retrying and Message includes:
+      """
+      pre-authorization failed: service account requires the following permissions to manage cluster extension
+      """
+    And ClusterExtension reports Progressing as True with Reason Retrying and Message includes:
+      """
+      Verbs:[create]
+      """
+    When ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE}
+    Then ClusterExtension is available
+    And ClusterExtension reports Progressing as True with Reason Succeeded
+    And ClusterExtension reports Installed as True

test/e2e/steps/steps.go

@@ -120,6 +120,7 @@ func RegisterSteps(sc *godog.ScenarioContext) {
 	sc.Step(`^(?i)ServiceAccount "([^"]*)" with permissions to install extensions is available in "([^"]*)" namespace$`, ServiceAccountWithNeededPermissionsIsAvailableInGivenNamespace)
 	sc.Step(`^(?i)ServiceAccount "([^"]*)" with needed permissions is available in test namespace$`, ServiceAccountWithNeededPermissionsIsAvailableInTestNamespace)
 	sc.Step(`^(?i)ServiceAccount "([^"]*)" with needed permissions is available in \${TEST_NAMESPACE}$`, ServiceAccountWithNeededPermissionsIsAvailableInTestNamespace)
+	sc.Step(`^(?i)ServiceAccount "([^"]*)" without create permissions is available in \${TEST_NAMESPACE}$`, ServiceAccountWithoutCreatePermissionsIsAvailableInTestNamespace)
 	sc.Step(`^(?i)ServiceAccount "([^"]*)" is available in \${TEST_NAMESPACE}$`, ServiceAccountIsAvailableInNamespace)
 	sc.Step(`^(?i)ServiceAccount "([^"]*)" in test namespace is cluster admin$`, ServiceAccountWithClusterAdminPermissionsIsAvailableInNamespace)
 	sc.Step(`^(?i)ServiceAccount "([^"]+)" in test namespace has permissions to fetch "([^"]+)" metrics$`, ServiceAccountWithFetchMetricsPermissions)
@@ -877,6 +878,18 @@ func ServiceAccountWithNeededPermissionsIsAvailableInTestNamespace(ctx context.C
 	return applyPermissionsToServiceAccount(ctx, serviceAccount, rbacTemplate)
 }
 
+// ServiceAccountWithoutCreatePermissionsIsAvailableInTestNamespace creates a ServiceAccount with permissions that
+// intentionally exclude the "create" verb to test preflight permission validation for Boxcutter applier.
+// This is used to verify that the preflight check properly detects missing CREATE permissions.
+func ServiceAccountWithoutCreatePermissionsIsAvailableInTestNamespace(ctx context.Context, serviceAccount string) error {
+	kernel := "helm"
+	if enabled, found := featureGates[features.BoxcutterRuntime]; found && enabled {
+		kernel = "boxcutter"
+	}
+	rbacTemplate := fmt.Sprintf("%s-%s-no-create-rbac-template.yaml", serviceAccount, kernel)
+	return applyPermissionsToServiceAccount(ctx, serviceAccount, rbacTemplate)
+}
+
 // ServiceAccountWithNeededPermissionsIsAvailableInGivenNamespace creates a ServiceAccount and enables creation of any cluster extension on behalf of this account.
 func ServiceAccountWithNeededPermissionsIsAvailableInGivenNamespace(ctx context.Context, serviceAccount string, ns string) error {
 	sc := scenarioCtx(ctx)

test/e2e/steps/testdata/olm-sa-boxcutter-no-create-rbac-template.yaml

@@ -0,0 +1,72 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ${TEST_NAMESPACE}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-olm-admin-clusterrole
+rules:
+  # Allow management of ClusterExtensionRevision finalizers (e.g. by the Boxcutter applier)
+  - apiGroups: [olm.operatorframework.io]
+    resources: [clusterextensionrevisions/finalizers]
+    verbs: [update, patch]
+  # OLMv0 compatibility requirement for AllNamespaces install
+  # https://github.com/operator-framework/operator-lifecycle-manager/blob/dfd0b2bea85038d3c0d65348bc812d297f16b8d2/pkg/controller/operators/olm/operatorgroup.go#L530
+  - apiGroups: [ "" ]
+    resources:
+      - namespaces
+    verbs: [ get, list, watch ]
+  # Bundle resource management RBAC derived from bundle resource and permissions described in the ClusterServiceVersion
+  # NOTE: Intentionally MISSING "create" verb to test preflight check
+  - apiGroups: [apiextensions.k8s.io]
+    resources: [customresourcedefinitions]
+    verbs: [update, get, delete, patch]
+  - apiGroups: [""]
+    resources:
+      - configmaps
+      - serviceaccounts
+    verbs: [update, list, watch, get, delete, patch]
+  - apiGroups: [ "" ]
+    resources:
+      - events
+    verbs: [ patch ]
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+    verbs: [ update, get, delete, patch ]
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - networkpolicies
+    verbs: [update, list, get, delete, patch]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - clusterroles
+      - roles
+      - clusterrolebindings
+      - rolebindings
+    verbs: [ update, get, delete, patch ]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: [update, list, watch, get, delete, patch]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: [create]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: [create]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-install-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-olm-admin-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: ${SERVICEACCOUNT_NAME}
+    namespace: ${TEST_NAMESPACE}

test/e2e/steps/testdata/olm-sa-helm-no-create-rbac-template.yaml

@@ -0,0 +1,68 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ${TEST_NAMESPACE}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-olm-admin-clusterrole
+rules:
+  - apiGroups: [olm.operatorframework.io]
+    resources: [clusterextensions, clusterextensions/finalizers]
+    resourceNames: ["${CLUSTEREXTENSION_NAME}"]
+    verbs: [update]
+  # Bundle resource management RBAC derived from bundle resource and permissions described in the ClusterServiceVersion
+  # NOTE: Intentionally MISSING "create" verb to test preflight check
+  - apiGroups: [apiextensions.k8s.io]
+    resources: [customresourcedefinitions]
+    verbs: [update, list, watch, get, delete, patch]
+  - apiGroups: [""]
+    resources:
+      - configmaps
+      - secrets
+      - services
+      - serviceaccounts
+      - events
+      - namespaces
+      - persistentvolumes
+      - persistentvolumeclaims
+    verbs: [update, list, watch, get, delete, patch]
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+    verbs: [ update, list, watch, get, delete, patch ]
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - networkpolicies
+    verbs: [ update, list, watch, get, delete, patch ]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources:
+      - clusterroles
+      - roles
+      - clusterrolebindings
+      - rolebindings
+    verbs: [ update, list, watch, get, delete, patch ]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: [ update, list, watch, get, delete, patch ]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: [create]
+  - apiGroups: ["authentication.k8s.io"]
+    resources: ["tokenreviews"]
+    verbs: [create]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-install-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ${TEST_NAMESPACE}-${SERVICEACCOUNT_NAME}-olm-admin-clusterrole
+subjects:
+  - kind: ServiceAccount
+    name: ${SERVICEACCOUNT_NAME}
+    namespace: ${TEST_NAMESPACE}