Skip to content

✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations #2429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
camilamacedo86 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations #2429

camilamacedo86 wants to merge 4 commits into from
+452 −60

Conversation

@camilamacedo86
Copy link
Contributor

@camilamacedo86 camilamacedo86 commented Jan 6, 2026
edited
Loading

What's New

When BoxcutterRuntime is enabled, OLM v1 now correctly uses the ServiceAccount you specify in your ClusterExtension to install and manage extensions. This ensures your extensions are installed with only the permissions you grant, not admin privileges.

What This Means for You

More Control:

  • Extensions can only create resources that the ServiceAccount is allowed to create
  • If an extension tries to create something without permission, it fails immediately with a clear error
  • You see exactly which ServiceAccount performed each action in audit logs

Better Security:

  • Extensions no longer bypass RBAC during installation
  • Each extension limited to its ServiceAccount's permissions
  • No more admin-level access by default

Example

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-installer
  namespace: my-app
---
apiVersion: olm.operatorframework.io/v1
kind: ClusterExtension
metadata:
  name: my-extension
spec:
  namespace: my-app
  serviceAccount:
    name: my-installer  # ← Your extension uses this SA's permissions
  source:
    sourceType: Catalog
    catalog:
      packageName: my-package

What happens: OLM installs the extension using my-installer ServiceAccount. The extension can only do what you've granted that ServiceAccount permission to do.

Copilot AI review requested due to automatic review settings January 6, 2026 17:22
@camilamacedo86 camilamacedo86 requested a review from a team as a code owner January 6, 2026 17:22
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 6, 2026
@openshift-ci openshift-ci bot requested review from grokspawn and oceanc80 January 6, 2026 17:22
@netlify
Copy link

netlify bot commented Jan 6, 2026
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 76b836b
🔍 Latest deploy log https://app.netlify.com/projects/olmv1/deploys/695ebad70d13a50008f45b45
😎 Deploy Preview https://deploy-preview-2429--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

This comment was marked as outdated.

Sign in to view

Copilot AI review requested due to automatic review settings January 6, 2026 18:41
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@camilamacedo86 camilamacedo86 changed the title WIP: (feat): [Boxcutter] Use serviceAccount for ClusterExtensionRevision operations ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount Jan 6, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 6, 2026
@camilamacedo86 camilamacedo86 changed the title ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount WIP ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount Jan 6, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 6, 2026
Copilot AI reviewed Jan 6, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
@operator-framework operator-framework deleted a comment from Copilot AI Jan 6, 2026
Copilot AI review requested due to automatic review settings January 7, 2026 11:32
@camilamacedo86 camilamacedo86 changed the title WIP ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount ✨ Boxcutter ClusterExtensionRevision operations now uses .spec.serviceAccount Jan 7, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 7, 2026
Copilot AI review requested due to automatic review settings January 7, 2026 16:49
@camilamacedo86 camilamacedo86 changed the title WIP ✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations (Future: Easy Mode Support) WIP ✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations Jan 7, 2026
Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings January 7, 2026 18:13
@openshift-ci
Copy link

openshift-ci bot commented Jan 7, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign perdasilva for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings January 7, 2026 18:26
@camilamacedo86 camilamacedo86 changed the title WIP ✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations ✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations Jan 7, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 7, 2026
camilamacedo86
camilamacedo86 commented Jan 7, 2026
View reviewed changes
test/e2e/steps/testdata/rbac-template.yaml
# for roles it doesn't have and grant permissions beyond its own. This is required
# because extension bundles contain their own RBAC that must be created.
# See docs/concepts/permission-model.md for details on these requirements.
verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ]
Copy link
Contributor Author

@camilamacedo86 camilamacedo86 Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@perdasilva that proves it is working :-)
The permissions were missing, and e2e tests were failing.

Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@camilamacedo86 camilamacedo86 changed the title ✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations WIP ✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations Jan 7, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 7, 2026
@camilamacedo86
(feat): [Boxcutter] Use ClusterExtension ServiceAccount for revision …
2f9b1d4 
…operations

Implement serviceAccount-scoped token-based authentication for
ClusterExtensionRevision controller using annotation-based configuration.

- Add RevisionEngineFactory with CreateRevisionEngine(ctx, rev) interface
- Read ServiceAccount from annotations (no ClusterExtension dependency)
- Token-based auth using TokenInjectingRoundTripper
- ServiceAccount name and namespace in annotations for observability
- TrackingCache uses global client for caching/cleanup
- Comprehensive error path tests

ClusterExtensionRevision can exist independently.
Easy mode impersonation deferred until API is finalized.

Assisted-by: Cursor
@camilamacedo86
(fix) e2e test RBAC: add bind/escalate verbs
b456e6e 
Scoped ServiceAccount clients need `bind` and `escalate` verbs
to create ClusterRoleBindings. The admin client previously used
bypassed this RBAC requirement.

The documentation (docs/concepts/permission-model.md) already specifies
that ServiceAccounts need `bind` and `escalate` verbs for RBAC resources
to install extensions with their own RBAC.

The e2e test template was missing these verbs, causing tests to fail when
using scoped ServiceAccount clients (which properly enforce Kubernetes RBAC)
instead of the admin client.
@camilamacedo86
(doc) Add godoc comments to label constants
6c61d45 
Adds documentation comments to all label/annotation constants explaining:
- What each constant represents
- Where they are applied (labels vs annotations)
- ServiceAccount constants document their relationship to ClusterExtension spec

Addresses code review feedback for improved maintainability.
@camilamacedo86
(fix) Add ClusterExtensionRevision permissions to upgrade test RBAC
76b836b 
The upgrade test ServiceAccount needs permissions to manage
ClusterExtensionRevisions when BoxcutterRuntime is enabled.
Without these permissions, the upgraded controller cannot create
or update ClusterExtensionRevision resources, causing the
ClusterExtension to fail reconciliation after upgrade.
@camilamacedo86 camilamacedo86 changed the title WIP ✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations ✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations Jan 7, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@grokspawn grokspawn Awaiting requested review from grokspawn

@oceanc80 oceanc80 Awaiting requested review from oceanc80

@perdasilva perdasilva Awaiting requested review from perdasilva

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@camilamacedo86 @perdasilva