operator-controller icon indicating copy to clipboard operation
operator-controller copied to clipboard

Published 20 hours ago verified publisher icon operator-framework

✨ Add SyntheticPermissions support and migrate to ServiceAccount impersonation

Open joelanford opened this issue 1 week ago • 4 comments

Summary

This PR introduces support for SyntheticPermissions (experimental feature) and migrates OLM v1 from token-based authentication to ServiceAccount impersonation for improved security and simplified authentication management.

What Changed

1. CRD Generator Enhancements (Commit c08e67996)

Extended the CRD generator to support channel-specific field requirements and descriptions:

  • Added tags to allow for differences between standard and experimental channels' required vs optional fields
  • Added opcon:standard:description tags for channel-specific documentation (complementing existing experimental descriptions)
  • Refactored opconTweaks functions to modify the parent schema's required fields list

These enhancements enable the following API changes.

2. Optional ServiceAccount in Experimental Channel (Commit 1094bc94b)

Made the serviceAccount field optional in the experimental channel while keeping it required in the standard channel:

ClusterExtension API changes:

  • serviceAccount field uses new validation tags to be optional (experimental) vs required (standard)
  • Channel-specific descriptions explain the authentication behavior

Generated artifacts updated:

  • CRDs for both channels with appropriate field requirements
  • API reference documentation
  • All manifest files (standard, experimental, e2e variants)

3. SyntheticPermissions Feature Gate (Commit 189a05a5e)

Enabled the SyntheticPermissions feature gate and implemented the logic for synthetic user authentication. When serviceAccount.Name is empty in experimental:

  • Authenticates as synthetic user: olm:clusterextension:<clusterExtensionName>
  • Member of synthetic group: olm:clusterextensions

Feature gate:

  • Enabled in experimental helm values (helm/experimental.yaml)
  • Enabled in tilt configuration (helm/tilt.yaml)

RBAC permissions:

  • Added conditional RBAC rules for impersonating:
    • Any user (for synthetic users like olm:clusterextension:<clusterExtensionName>)
    • The olm:clusterextensions group
  • Rules only included when SyntheticPermissions feature gate is enabled

Implementation:

  • Updated SyntheticUserRestConfigMapper to check for empty SA name (instead of sentinel value)
  • Modified NewRBACPreAuthorizer to accept a userInfoMapper function
  • Implemented userInfoMapper in main.go that:
    • Returns synthetic user info when SA name is empty AND feature gate is enabled
    • Returns service account user info when SA name is specified
  • Updated tests to work with the new userInfoMapper pattern

Authentication behavior:

  • When ServiceAccount.Name is empty + SyntheticPermissions enabled: synthetic user impersonation
  • When ServiceAccount.Name is specified: service account impersonation

4. ServiceAccount Impersonation (Commit 324a970e7)

Replaced token-based authentication with ServiceAccount impersonation for all authentication in the standard and experimental channels:

Authentication layer changes:

  • Added ServiceAccountImpersonationConfig() function returning an ImpersonationConfig
  • Updated ServiceAccountRestConfigMapper() to use NewImpersonatingRoundTripper
  • Removed 285 lines of token management code:
    • tokengetter.go - Token lifecycle management
    • tokengetter_test.go - Token getter tests
    • tripper.go - Token injection round tripper

RBAC changes:

  • Changed from serviceaccounts/token create permission
  • To serviceaccounts impersonate permission

Controller simplifications:

  • Removed ServiceAccountNotFoundError handling (impersonation doesn't require SA to exist beforehand)
  • Removed authentication package import from controller

Tests updated:

  • Verify impersonation headers instead of token injection
  • Added tests for ServiceAccountImpersonationConfig
  • Updated controller tests that referenced TokenGetter

Benefits:

  • No token lifecycle management or expiration handling
  • No need to verify ServiceAccount exists before use
  • Simpler codebase with fewer moving parts
  • More secure - no tokens created or cached
  • Enhanced security - No longer requires creating highly privileged ServiceAccounts that could be mounted by workloads in the install namespace

Testing

  • Unit tests updated to verify impersonation behavior
  • Authorization tests updated for userInfoMapper pattern
  • CRD generation tests pass with new validation tags

Reviewer Checklist

  • [ ] API Go Documentation
  • [ ] Tests: Unit Tests (and E2E Tests, if appropriate)
  • [ ] Comprehensive Commit Messages
  • [ ] Links to related GitHub Issue(s)

joelanford avatar Nov 19 '25 21:11 joelanford