operator-controller [epic] Permission validation pre-flight check

Once #737 is implemented, it will be important to have a pre-flight check that is able to evaluate if the ServiceAccount provided in the ClusterExtension has sufficient permissions to stamp out the content for a bundle on the cluster. Having this pre-flight check would:

Prevent partial installation/upgrade of bundles due to insufficient permissions on the provided ServiceAccount by failing fast before even attempting the installation/upgrade
Provide a more user friendly error message as to the exact permissions that are missing to install/upgrade content. Without this pre-flight check the install will fail the first time it encounters a permission error. The pre-flight check will be able to identify a list of missing permissions and return that in a failing status message.

I have done some previous work related to this in Carvel's kapp project [1]. It can be used as an inspiration for our own implementation or pulled in as a library (with a lightweight abstraction on top to satisfy the Preflight interface introduced in #979).

References:

1: https://github.com/carvel-dev/kapp/tree/develop/pkg/kapp/permissions

Brief: https://docs.google.com/document/d/1fCkUaaXebfF1237iRrFC-F7HNNe7-TFeXpN0wSUdiXc/edit?usp=sharing RFC: https://docs.google.com/document/d/1W7ThVE7yAd43IW1KETAB9x8pQqIRu7Dqs7jZi5QjQaM/edit?usp=sharing

User Stories:

[] #1858

Jun 27 '24 19:06 everettraven

This epic is a prerequisite for #919

Oct 22 '24 15:10 LalatenduMohanty

The first step is to schedule a design meeting and then work on the brief for this epic.

Nov 05 '24 16:11 LalatenduMohanty

Prior-art that could help kickstart some conversation: https://github.com/operator-framework/operator-controller/pull/1282

Nov 05 '24 16:11 everettraven

/assign @trgeiger

Nov 07 '24 20:11 everettraven

@everettraven: GitHub didn't allow me to assign the following users: trgeiger.

Note that only operator-framework members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide

In response to this:

/assign @trgeiger

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Nov 07 '24 20:11 openshift-ci[bot]

@trgeiger did you really want to tackle this one? otherwise I'm psyched to work on it. Might be able to split up the work too.

Nov 12 '24 16:11 bentito

I'm happy to work together or help out, either way. I just wanted to dive head first into some of the upcoming work. I've got a brief and RFC started if you want to connect on that.

Nov 12 '24 20:11 trgeiger

Cool, I'm adding to the Brief now

Nov 14 '24 15:11 bentito

This work is being split into 2 stages:

Stage 1, which is currently being worked on, will perform the logic for determining which required permissions are missing and output those permissions in the Installed status condition's message.
Stage 2 will implement actual API changes to store missing permissions in a structured format for use with external tooling and future improvements to the UX to automate the ServiceAccount creation. Stage 2 work will be tracked in #1843

Mar 05 '25 19:03 trgeiger

Issues go stale after 90 days of inactivity. If there is no further activity, the issue will be closed in another 30 days.

Sep 06 '25 01:09 github-actions[bot]

This issue has been closed due to inactivity.

Oct 06 '25 01:10 github-actions[bot]