test: Add RBAC escalation test for installer ServiceAccount permissions

camilamacedo86 · camilamacedo86 · commit d181d676d46e · 2026-01-12T12:59:54.000Z
Add rbac-escalation-operator test bundle and e2e scenario to validate
that the ClusterExtension installer ServiceAccount can install operators
with diverse RBAC requirements.

This operator requires storage.k8s.io and scheduling.k8s.io permissions
that differ from the basic test-operator, ensuring the installer SA's
bind/escalate verbs are properly exercised per the documented permission
model in docs/concepts/permission-model.md.

The test validates:
- Installer SA can create RBAC for operators with different permissions
- Kubernetes escalation prevention works with bind/escalate verbs
- OLMv1 permission model supports diverse operator requirements
- Regression prevention for RBAC permission issues
diff --git a/test/e2e/features/rbac-escalation.feature b/test/e2e/features/rbac-escalation.feature
@@ -0,0 +1,37 @@
+Feature: RBAC Permissions for Extension Installation
+
+  Background:
+    Given OLM is available
+    And ClusterCatalog "test" serves bundles
+    And ServiceAccount "olm-sa" with needed permissions is available in ${TEST_NAMESPACE}
+
+  # This test verifies that the ClusterExtension installer ServiceAccount has the necessary
+  # RBAC permissions to install operators with different permission requirements.
+  #
+  # The rbac-escalation-operator requires permissions beyond what test-operator needs,
+  # testing that the installer SA can create ClusterRoleBindings for roles with
+  # permissions the SA itself doesn't directly possess (via bind/escalate verbs).
+  #
+  # See: docs/concepts/permission-model.md for OLMv1 permission requirements
+  Scenario: Install operator with different RBAC requirements
+    When ClusterExtension is applied
+      """
+      apiVersion: olm.operatorframework.io/v1
+      kind: ClusterExtension
+      metadata:
+        name: rbac-escalation-test
+      spec:
+        namespace: ${TEST_NAMESPACE}
+        serviceAccount:
+          name: olm-sa
+        source:
+          sourceType: Catalog
+          catalog:
+            packageName: rbac-escalation-operator
+            selector:
+              matchLabels:
+                "olm.operatorframework.io/metadata.name": test-catalog
+      """
+    Then ClusterExtension is available
+    And bundle "rbac-escalation-operator.1.0.0" is installed in version "1.0.0"
+
diff --git a/testdata/images/bundles/rbac-escalation-operator/README.md b/testdata/images/bundles/rbac-escalation-operator/README.md
@@ -0,0 +1,122 @@
+# RBAC Escalation Test Operator
+
+## Purpose
+
+This operator bundle tests that the ClusterExtension installer ServiceAccount has proper RBAC permissions to install operators with varying permission requirements.
+
+## Why This Bundle Exists
+
+### Testing RBAC Escalation Scenarios
+
+The standard `test-operator` bundle has minimal RBAC requirements (only `tokenreviews` and `subjectaccessreviews`) that happen to match what the test ServiceAccount already has. This operator tests a more realistic scenario where an operator requires **different permissions**:
+
+**Required Permissions** (from CSV clusterPermissions):
+- `storage.k8s.io/storageclasses` [create, update, delete, list, watch, get]
+- `scheduling.k8s.io/priorityclasses` [create, update, delete, list, watch, get]
+
+**Test SA Permissions** (from rbac-template.yaml):
+- Does NOT have `storage.k8s.io` permissions directly
+- Does NOT have `scheduling.k8s.io` permissions directly
+- **Must have** `bind` and `escalate` verbs to create the necessary RBAC
+
+**Kubernetes RBAC Check**:
+When OLMv1 tries to create the ClusterRoleBinding for this operator, Kubernetes checks:
+1. Can SA create clusterrolebindings resource? → YES ✅
+2. Can SA bind this specific role?
+   - Option A: Has `bind` verb? → Required when role has permissions SA doesn't have
+   - Option B: Has ALL permissions in role? → Not applicable (SA doesn't have storage.k8s.io)
+3. **Result**: Requires `bind` verb for successful installation
+
+## Expected Behavior
+
+### With Proper RBAC (bind/escalate verbs)
+
+**Test SA must have** in `test/e2e/steps/testdata/rbac-template.yaml`:
+```yaml
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: [clusterroles, roles, clusterrolebindings, rolebindings]
+  verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ]
+```
+
+The `bind` and `escalate` verbs allow the installer SA to create RBAC resources that grant permissions beyond what the SA itself has, which is required per the OLMv1 permission model.
+
+## Bundle Structure
+
+```
+rbac-escalation-operator/
+└── v1.0.0/
+    ├── manifests/
+    │   └── rbac-escalation-operator.clusterserviceversion.yaml
+    └── metadata/
+        └── annotations.yaml
+```
+
+## Integration
+
+### Catalog Entry
+
+Added to `testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml`:
+```yaml
+schema: olm.package
+name: rbac-escalation-operator
+defaultChannel: stable
+---
+schema: olm.channel
+name: stable
+package: rbac-escalation-operator
+entries:
+  - name: rbac-escalation-operator.1.0.0
+---
+schema: olm.bundle
+name: rbac-escalation-operator.1.0.0
+package: rbac-escalation-operator
+image: docker-registry.operator-controller-e2e.svc.cluster.local:5000/bundles/registry-v1/rbac-escalation-operator:v1.0.0
+```
+
+### E2E Test
+
+Test scenario in `test/e2e/features/rbac-escalation.feature`:
+- Installs rbac-escalation-operator
+- Expects installation to succeed
+- On main: **WILL FAIL** (proves bug)
+- After fix: **WILL PASS** (proves fix works)
+
+## Usage
+
+### Running the Test
+
+```bash
+# Run all e2e tests (includes this test)
+make test-e2e
+
+# Or run just this feature
+go test -v ./test/e2e/features_test.go -godog.paths=test/e2e/features/rbac-escalation.feature
+```
+
+**Expected**: Test passes when test SA has `bind` and `escalate` verbs
+
+### What This Test Validates
+
+1. Installer SA can create RBAC for operators with different permission needs
+2. Kubernetes escalation prevention works correctly with `bind`/`escalate` verbs
+3. OLMv1 permission model is correctly implemented
+4. Regression prevention for RBAC permission requirements
+
+## References
+
+- **Permission Model Documentation**: `docs/concepts/permission-model.md`
+- **Kubernetes RBAC**: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping
+- **Related PR**: #2429 - Adds bind/escalate to fix this issue
+
+## Notes
+
+This operator is intentionally minimal - it exists solely to test RBAC escalation scenarios. The bundle requires permissions (storage.k8s.io, scheduling.k8s.io) that are different from what simpler test operators need, ensuring that the installer ServiceAccount's `bind` and `escalate` verbs are properly exercised.
+
+This validates that OLMv1 can install operators with diverse permission requirements, not just operators that happen to need the same permissions as the installer SA.
+
+---
+
+**Created**: 2026-01-12  
+**Purpose**: Test RBAC escalation handling with bind/escalate verbs  
+**Type**: Regression test for proper RBAC permission model implementation
+
diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/manifests/rbac-escalation-operator.clusterserviceversion.yaml
@@ -0,0 +1,85 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  name: rbac-escalation-operator.v1.0.0
+  namespace: placeholder
+spec:
+  apiservicedefinitions: {}
+  customresourcedefinitions:
+    owned: []
+  description: Test operator for validating RBAC escalation handling with diverse permission requirements
+  displayName: RBAC Escalation Test Operator
+  install:
+    spec:
+      deployments:
+        - name: rbac-escalation-operator
+          spec:
+            replicas: 1
+            selector:
+              matchLabels:
+                app: rbac-escalation
+            template:
+              metadata:
+                labels:
+                  app: rbac-escalation
+              spec:
+                terminationGracePeriodSeconds: 0
+                containers:
+                  - name: manager
+                    image: busybox:1.37
+                    command: ["/bin/sh", "-c", "sleep 3600"]
+                serviceAccountName: rbac-escalation-sa
+      # These permissions differ from test-operator's requirements to validate
+      # that the installer SA can handle operators with diverse RBAC needs
+      clusterPermissions:
+        - rules:
+            # Requires storage.k8s.io permissions to test RBAC escalation handling
+            - apiGroups:
+                - storage.k8s.io
+              resources:
+                - storageclasses
+              verbs:
+                - create
+                - update
+                - delete
+                - list
+                - watch
+                - get
+            # Requires scheduling.k8s.io permissions to test diverse RBAC scenarios
+            - apiGroups:
+                - scheduling.k8s.io
+              resources:
+                - priorityclasses
+              verbs:
+                - create
+                - update
+                - delete
+                - list
+                - watch
+                - get
+          serviceAccountName: rbac-escalation-sa
+    strategy: deployment
+  installModes:
+    - supported: false
+      type: OwnNamespace
+    - supported: false
+      type: SingleNamespace
+    - supported: false
+      type: MultiNamespace
+    - supported: true
+      type: AllNamespaces
+  keywords:
+    - rbac-testing
+    - escalation
+  links:
+    - name: RBAC Escalation Operator
+      url: https://github.com/operator-framework/operator-controller
+  maintainers:
+    - email: dev@operatorframework.io
+      name: OLM Team
+  maturity: alpha
+  provider:
+    name: Operator Framework
+    url: https://operatorframework.io
+  version: 1.0.0
+
diff --git a/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml b/testdata/images/bundles/rbac-escalation-operator/v1.0.0/metadata/annotations.yaml
@@ -0,0 +1,8 @@
+annotations:
+  operators.operatorframework.io.bundle.channel.default.v1: stable
+  operators.operatorframework.io.bundle.channels.v1: stable
+  operators.operatorframework.io.bundle.manifests.v1: manifests/
+  operators.operatorframework.io.bundle.mediatype.v1: registry+v1
+  operators.operatorframework.io.bundle.metadata.v1: metadata/
+  operators.operatorframework.io.bundle.package.v1: rbac-escalation-operator
+
diff --git a/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml b/testdata/images/catalogs/test-catalog/v1/configs/catalog.yaml
@@ -159,3 +159,24 @@ properties:
     value:
       packageName: single-namespace-operator
       version: 1.0.0
+---
+schema: olm.package
+name: rbac-escalation-operator
+defaultChannel: stable
+---
+schema: olm.channel
+name: stable
+package: rbac-escalation-operator
+entries:
+  - name: rbac-escalation-operator.1.0.0
+---
+schema: olm.bundle
+name: rbac-escalation-operator.1.0.0
+package: rbac-escalation-operator
+image: docker-registry.operator-controller-e2e.svc.cluster.local:5000/bundles/registry-v1/rbac-escalation-operator:v1.0.0
+properties:
+  - type: olm.package
+    value:
+      packageName: rbac-escalation-operator
+      version: 1.0.0
+
