Replace cluster-admin with least-privilege RBAC for BoxcutterRuntime (#2514)

The operator-controller service account was bound to the cluster-admin
ClusterRole when the BoxcutterRuntime feature gate was enabled. Replace
this with explicit, scoped RBAC rules in the operator-controller-manager-role
ClusterRole:

- list+watch on all API groups and resources (*/*), required for the
  boxcutter runtime to set up informers for arbitrary resource types
  defined in ClusterExtensionRevision phases
- Full CRUD (create, get, list, patch, update, watch) on
  clusterextensionrevisions
- patch+update on clusterextensionrevisions/status
- update on clusterextensionrevisions/finalizers

The ClusterRoleBinding now always references operator-controller-manager-role
regardless of whether BoxcutterRuntime is enabled, removing the conditional
cluster-admin binding. Static manifests (experimental.yaml and
experimental-e2e.yaml) are updated to match.

Co-authored-by: Per G. da Silva <pegoncal@redhat.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml

@@ -72,4 +72,37 @@ rules:
     verbs:
       - use
   {{- end }}
+  {{- if has "BoxcutterRuntime" .Values.options.operatorController.features.enabled }}
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - olm.operatorframework.io
+    resources:
+      - clusterextensionrevisions
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - olm.operatorframework.io
+    resources:
+      - clusterextensionrevisions/status
+    verbs:
+      - patch
+      - update
+  - apiGroups:
+      - olm.operatorframework.io
+    resources:
+      - clusterextensionrevisions/finalizers
+    verbs:
+      - update
+  {{- end }}
 {{- end }}

helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml

@@ -16,11 +16,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-{{- if has "BoxcutterRuntime" .Values.options.operatorController.features.enabled }}
-  name: cluster-admin
-{{- else }}
   name: operator-controller-manager-role
-{{- end }}
 subjects:
   - kind: ServiceAccount
     name: operator-controller-controller-manager

manifests/experimental-e2e.yaml

@@ -1824,6 +1824,37 @@ rules:
     verbs:
       - list
       - watch
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - olm.operatorframework.io
+    resources:
+      - clusterextensionrevisions
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - olm.operatorframework.io
+    resources:
+      - clusterextensionrevisions/status
+    verbs:
+      - patch
+      - update
+  - apiGroups:
+      - olm.operatorframework.io
+    resources:
+      - clusterextensionrevisions/finalizers
+    verbs:
+      - update
 ---
 # Source: olmv1/templates/rbac/clusterrolebinding-catalogd-manager-rolebinding.yml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1895,7 +1926,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: operator-controller-manager-role
 subjects:
   - kind: ServiceAccount
     name: operator-controller-controller-manager

manifests/experimental.yaml

@@ -1785,6 +1785,37 @@ rules:
     verbs:
       - list
       - watch
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - olm.operatorframework.io
+    resources:
+      - clusterextensionrevisions
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - olm.operatorframework.io
+    resources:
+      - clusterextensionrevisions/status
+    verbs:
+      - patch
+      - update
+  - apiGroups:
+      - olm.operatorframework.io
+    resources:
+      - clusterextensionrevisions/finalizers
+    verbs:
+      - update
 ---
 # Source: olmv1/templates/rbac/clusterrolebinding-catalogd-manager-rolebinding.yml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -1856,7 +1887,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: operator-controller-manager-role
 subjects:
   - kind: ServiceAccount
     name: operator-controller-controller-manager