[epic] Ability to configure user/group permissions to an Operator's provided APIs

[ncdc]

Summary

When you install an operator with OLM v0, OLM adds the operator’s provided APIs to the admin/edit/view roles for all namespaces. This means that any user with admin, edit, or view permission in any namespace has access to the operator’s APIs, and there is no way to change this.

Users have asked for a finer-grained permissions configuration for operator APIs. In addition to continuing to support the v0 model described above, v1 gives you more flexibility with new options:

• No permission management of any kind; RBAC configuration is left to the user managing the operator (likely an admin).
• Configure access in specific namespaces by name and/or label selector
• Configure admin/edit/view access for specific users and/or groups
• Configure custom permissions for specific users and/or groups
• Configure access to all operator-provided APIs, or a specific subset

Design Docs

• Brief
• RFC

Task List

• Write an RFC for "Access Management of provided APIs" #435

[LalatenduMohanty]

This is not a high priority yet. This was written atleast year back and we need to examine this again to find where it fits in our priority. However we will be happy to get feedback on use-cases on this.