OSDOCS#12884[4.18][OLMv1]Create RBAC to manage and install ce

Author: michaelryanpeter

extensions/ce/managing-ce.adoc

@@ -8,7 +8,7 @@ toc::[]
 
 After a catalog has been added to your cluster, you have access to the versions, patches, and over-the-air updates of the extensions and Operators that are published to the catalog.
 
-You can manage extensions declaratively from the CLI using custom resources (CRs).
+You can use custom resources (CRs) to manage extensions declaratively from the CLI.
 
 include::modules/olmv1-supported-extensions.adoc[leveloffset=+1]
 
@@ -18,7 +18,14 @@ include::modules/olmv1-supported-extensions.adoc[leveloffset=+1]
 
 include::modules/olmv1-finding-operators-to-install.adoc[leveloffset=+1]
 include::modules/olmv1-catalog-queries.adoc[leveloffset=+2]
-include::modules/olmv1-creating-a-service-account.adoc[leveloffset=+1]
+include::modules/olmv1-cluster-extension-permissions.adoc[leveloffset=+1]
+include::modules/olmv1-creating-a-namespace.adoc[leveloffset=+2]
+include::modules/olmv1-creating-a-service-account.adoc[leveloffset=+2]
+include::modules/olmv1-downloading-bundle-manifests.adoc[leveloffset=+2]
+include::modules/olmv1-required-rbac-to-install-and-manage-extension-resources.adoc[leveloffset=+2]
+include::modules/olmv1-creating-a-cluster-role.adoc[leveloffset=+2]
+include::modules/olmv1-example-pipelines-operator-cluster-role.adoc[leveloffset=+2]
+include::modules/olmv1-creating-a-cluster-role-binding.adoc[leveloffset=+2]
 include::modules/olmv1-installing-an-operator.adoc[leveloffset=+1]
 
 [role="_additional-resources"]

modules/olmv1-cluster-extension-permissions.adoc

@@ -0,0 +1,20 @@
+// Module included in the following assemblies:
+//
+// * extensions/ce/managing-ce.adoc
+
+:_mod-docs-content-type: CONCEPT
+
+[id="olmv1-cluster-extension-permissions_{context}"]
+= Cluster extension permissions
+
+In {olmv0-first}, a single service account with cluster administrator privileges manages all cluster extensions.
+
+{olmv1} is designed to be more secure than {olmv0} by default. {olmv1} manages a cluster extension by using the service account specified in an extension's custom resource (CR). Cluster administrators can create a service account for each cluster extension. As a result, administrators can follow the principle of least privilege and assign only the role-based access controls (RBAC) to install and manage that extension.
+
+You must add each permission to either a cluster role or role. Then you must bind the cluster role or role to the service account with a cluster role binding or role binding.
+
+You can scope the RBAC to either the cluster or to a namespace. Use cluster roles and cluster role bindings to scope permissions to the cluster. Use roles and role bindings to scope permissions to a namespace. Whether you scope the permissions to the cluster or to a namespace depends on the design of the extension you want to install and manage.
+
+include::snippets/olmv1-manual-rbac-scoping-admonition.adoc[]
+
+If a new version of an installed extension requires additional permissions, {olmv1} halts the update process until a cluster administrator grants those permissions.

modules/olmv1-creating-a-cluster-role-binding.adoc

@@ -0,0 +1,65 @@
+// Module included in the following assemblies:
+//
+// * extensions/ce/managing-ce.adoc
+
+:_mod-docs-content-type: PROCEDURE
+
+[id="olmv1-creating-a-cluster-rol-binding_{context}"]
+= Creating a cluster role binding for an extension
+
+After you have created a service account and cluster role, you must bind the cluster role to the service account with a cluster role binding manifest.
+
+.Prerequisites
+
+* Access to an {product-title} cluster using an account with `cluster-admin` permissions.
+* You have created and applied the following resources for the extension you want to install:
+** Namespace
+** Service account
+** Cluster role
+
+.Procedure
+
+. Create a cluster role binding to bind the cluster role to the service account, similar to the following example:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <extension>-installer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: <extension>-installer-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: <extension>-installer
+  namespace: <namespace>
+----
++
+.Example `pipelines-cluster-role-binding.yaml` file
+[%collapsible]
+====
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pipelines-installer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: pipelines-installer-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: pipelines-installer
+  namespace: pipelines
+----
+====
+
+. Apply the cluster role binding by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f pipelines-cluster-role-binding.yaml
+----