OLM creates new API groups and needs to grant access to those API groups (e.g. adding them to the aggregated view and edit roles).

I don't know of a role we could construct that would allow OLM to do this without cluster-admin.

For example:
- User installs OLM
- User uses OLM to install Etcd Operator
- OLM installs EtcdCluster CRD
- OLM needs to create an aggregated role for Group: "etcd.database.coreos.com/v1beta2", kind: "EtcdCluster"
- In order to create the Role it must have a superset of those permissions, but it can't because OLM doesn't know ahead of time what kinds a user will register via OLM.
- The only solution I know of is to grant access to all groups.


OLM is a controller over the api layer, much like the aggregation controller: https://github.com/kubernetes/kubernetes/blob/7f23a743e8c23ac6489340bbb34fa6f1d392db9d/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go#L81-L88 (it is also granted * *)

To fall in line with the boostrapped policy convention, I've added a ClusterRole for olm which explicitly states that it needs that permission. I'll update here when that change is merged.

Haven't fix yet.

This is fixed here: https://github.com/openshift/openshift-ansible/pull/9949 not merged yet

The fix is merged.

LGTM, verify it.

[root@qe-juzhao-311-gce-1-master-etcd-1 ~]# oc get clusterrolebinding olm-operator-binding-operator-lifecycle-manager -o yaml
apiVersion: authorization.openshift.io/v1
groupNames: null
kind: ClusterRoleBinding
metadata:
  creationTimestamp: 2018-09-11T03:29:24Z
  name: olm-operator-binding-operator-lifecycle-manager
  resourceVersion: "41478"
  selfLink: /apis/authorization.openshift.io/v1/clusterrolebindings/olm-operator-binding-operator-lifecycle-manager
  uid: e11efebd-b572-11e8-b1e8-42010af0000c
roleRef:
  name: system:controller:operator-lifecycle-manager
subjects:
- kind: ServiceAccount
  name: olm-operator-serviceaccount
  namespace: operator-lifecycle-manager
userNames:
- system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount
[root@qe-juzhao-311-gce-1-master-etcd-1 ~]# oc get clusterrole system:controller:operator-lifecycle-manager -o yaml
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: 2018-09-11T03:29:20Z
  name: system:controller:operator-lifecycle-manager
  resourceVersion: "41470"
  selfLink: /apis/authorization.openshift.io/v1/clusterroles/system%3Acontroller%3Aoperator-lifecycle-manager
  uid: df1c9f4e-b572-11e8-b1e8-42010af0000c
rules:
- apiGroups:
  - '*'
  attributeRestrictions: null
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups: null
  attributeRestrictions: null
  nonResourceURLs:
  - '*'
  resources: []
  verbs:
  - '*'

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652