Support of aggregated ClusterRoles in ClusterServiceVersion

[houshengbo]

Feature Request

Is your feature request related to a problem? Please describe. ClusterServiceVersion currently only supports specific rules. I submitted an operator to operatorhub with the aggregated ClusterRoles. It turned to be that I had to convert the aggregated ClusterRoles into the specific rules one by one in the ClusterServiceVersion yaml file.

Describe the solution you'd like It will be very handy if ClusterServiceVersion adds the support of the aggregated ClusterRoles.

One example of the aggregated ClusterRoles:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: monitoring
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.example.com/aggregate-to-monitoring: "true"
rules: [] # The control plane automatically fills in the rules

[houshengbo]

@akihikokuroda @bradtopol What do you think?

[houshengbo]

This is currently what we support:

spec:
  install:
    spec:
      clusterPermissions:
      - rules:
        - apiGroups:
          - operator.knative.dev
          resources:
          - '*'
          verbs:
          - '*'
        serviceAccountName: knative-operator

After adding the support of the aggregated cluster roles:

spec:
  install:
    spec:
      clusterPermissions:
      - rules:
        - apiGroups:
          - operator.knative.dev
          resources:
          - '*'
          verbs:
          - '*'
       - aggregationRules:
          - aggregationRule:
              clusterRoleSelectors:
              - matchExpressions:
                 - key: app.kubernetes.io/name
                 operator: In
                 values:
                 - knative-eventing
         serviceAccountName: knative-operator

[exdx]

Similar to #2039 -- this is something that we would like to tackle in the new version of the OLM v2 APIs.