refactoring (and more changes in the copied kubernetes code)

Author: joelanford

.golangci.yaml

@@ -38,6 +38,10 @@ linters:
   - unused
   - whitespace
 
+issues:
+  exclude-dirs:
+    - internal/operator-controller/authorization/internal/kubernetes
+
 linters-settings:
   gci:
     sections:

Makefile

@@ -136,7 +136,6 @@ manifests: $(CONTROLLER_GEN) #EXHELP Generate WebhookConfiguration, ClusterRole,
 .PHONY: generate
 generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
 	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./api/..."
-	$(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./catalogd/api/..."
 
 .PHONY: verify
 verify: tidy fmt generate manifests crd-ref-docs #HELP Verify all generated code is up-to-date.

api/v1/clusterextension_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1
 
 import (
+	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -454,6 +455,8 @@ type ClusterExtensionStatus struct {
 	//
 	// +optional
 	Install *ClusterExtensionInstallStatus `json:"install,omitempty"`
+
+	MissingRules map[string][]rbacv1.PolicyRule `json:"missingRules,omitempty"`
 }
 
 // ClusterExtensionInstallStatus is a representation of the status of the identified bundle.

api/v1/zz_generated.deepcopy.go

@@ -415,9 +415,7 @@ func run() error {
 	helmApplier := &applier.Helm{
 		ActionClientGetter: acg,
 		Preflights:         preflights,
-		Authorizer:         authorization.NewRBACAuthorizer(mgr.GetClient()),
-		RuleResolver:       authorization.NewRBACRulesResolver(mgr.GetClient()),
-		RestMapper:         mgr.GetRESTMapper(),
+		PreAuthorizer:      authorization.NewRBACPreAuthorizer(mgr.GetClient()),
 	}
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())

cmd/operator-controller/main.go

@@ -581,6 +581,58 @@ spec:
                 required:
                 - bundle
                 type: object
+              missingRules:
+                additionalProperties:
+                  items:
+                    description: |-
+                      PolicyRule holds information that describes a policy rule, but does not contain information
+                      about who the rule applies to or which namespace the rule applies to.
+                    properties:
+                      apiGroups:
+                        description: |-
+                          APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+                          the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      nonResourceURLs:
+                        description: |-
+                          NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+                          Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+                          Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      resourceNames:
+                        description: ResourceNames is an optional white list of names
+                          that the rule applies to.  An empty set means that everything
+                          is allowed.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      resources:
+                        description: Resources is a list of resources this rule applies
+                          to. '*' represents all resources.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      verbs:
+                        description: Verbs is a list of Verbs that apply to ALL the
+                          ResourceKinds contained in this rule. '*' represents all
+                          verbs.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                    required:
+                    - verbs
+                    type: object
+                  type: array
+                type: object
             type: object
         type: object
     served: true

config/base/operator-controller/crd/bases/olm.operatorframework.io_clusterextensions.yaml

@@ -276,8 +276,6 @@ apiVersion: olm.operatorframework.io/v1
 kind: ClusterExtension
 metadata:
   name: argocd
-  annotations:
-    rev: "1"
 spec:
   namespace: argocd
   serviceAccount:

config/samples/crb.yaml

@@ -326,6 +326,7 @@ _Appears in:_
 | --- | --- | --- | --- |
 | `conditions` _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#condition-v1-meta) array_ | The set of condition types which apply to all spec.source variations are Installed and Progressing.<br /><br />The Installed condition represents whether or not the bundle has been installed for this ClusterExtension.<br />When Installed is True and the Reason is Succeeded, the bundle has been successfully installed.<br />When Installed is False and the Reason is Failed, the bundle has failed to install.<br /><br />The Progressing condition represents whether or not the ClusterExtension is advancing towards a new state.<br />When Progressing is True and the Reason is Succeeded, the ClusterExtension is making progress towards a new state.<br />When Progressing is True and the Reason is Retrying, the ClusterExtension has encountered an error that could be resolved on subsequent reconciliation attempts.<br />When Progressing is False and the Reason is Blocked, the ClusterExtension has encountered an error that requires manual intervention for recovery.<br /><br />When the ClusterExtension is sourced from a catalog, if may also communicate a deprecation condition.<br />These are indications from a package owner to guide users away from a particular package, channel, or bundle.<br />BundleDeprecated is set if the requested bundle version is marked deprecated in the catalog.<br />ChannelDeprecated is set if the requested channel is marked deprecated in the catalog.<br />PackageDeprecated is set if the requested package is marked deprecated in the catalog.<br />Deprecated is a rollup condition that is present when any of the deprecated conditions are present. |  |  |
 | `install` _[ClusterExtensionInstallStatus](#clusterextensioninstallstatus)_ | install is a representation of the current installation status for this ClusterExtension. |  |  |
+| `missingRules` _object (keys:string, values:[PolicyRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/#policyrule-v1-rbac))_ |  |  |  |
 
 
 #### ImageSource

config/samples/crb2.yaml

@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"maps"
 	"strings"
 
 	"helm.sh/helm/v3/pkg/action"
@@ -17,27 +16,20 @@ import (
 	"helm.sh/helm/v3/pkg/release"
 	"helm.sh/helm/v3/pkg/storage/driver"
 	corev1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/util/sets"
 	apimachyaml "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/apiserver/pkg/authentication/user"
-	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	helmclient "github.com/operator-framework/helm-operator-plugins/pkg/client"
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/convert"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/preflights/crdupgradesafety"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/util"
-	"github.com/operator-framework/operator-controller/internal/shared/util/filter"
-	"github.com/operator-framework/operator-controller/kubernetes/pkg/registry/rbac/validation"
 )
 
 const (
@@ -66,9 +58,7 @@ type Preflight interface {
 type Helm struct {
 	ActionClientGetter helmclient.ActionClientGetter
 	Preflights         []Preflight
-	Authorizer         authorizer.Authorizer
-	RuleResolver       validation.AuthorizationRuleResolver
-	RestMapper         meta.RESTMapper
+	PreAuthorizer      authorization.PreAuthorizer
 }
 
 // shouldSkipPreflight is a helper to determine if the preflight check is CRDUpgradeSafety AND
@@ -92,51 +82,41 @@ func shouldSkipPreflight(ctx context.Context, preflight Preflight, ext *ocv1.Clu
 }
 
 func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExtension, objectLabels map[string]string, storageLabels map[string]string) ([]client.Object, string, error) {
-	l := log.FromContext(ctx)
 	chrt, err := convert.RegistryV1ToHelmChart(ctx, contentFS, ext.Spec.Namespace, []string{corev1.NamespaceAll})
 	if err != nil {
 		return nil, "", err
 	}
 	values := chartutil.Values{}
 
-	ac, err := h.ActionClientGetter.ActionClientFor(ctx, ext)
-	if err != nil {
-		return nil, "", err
-	}
-
 	post := &postrenderer{
 		labels: objectLabels,
 	}
 
-	tmplRel, err := h.template(ctx, ext, chrt, values, post)
-	if err != nil {
-		return nil, "", fmt.Errorf("failed to get release state using client-only dry-run: %w", err)
-	}
+	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
+		tmplRel, err := h.template(ctx, ext, chrt, values, post)
+		if err != nil {
+			return nil, "", fmt.Errorf("failed to get release state using client-only dry-run: %w", err)
+		}
 
-	collectionVerbs := []string{"list", "watch", "create"}
-	objectVerbs := []string{"get", "patch", "update", "delete"}
-	authzResults, escalationErrs, err := h.authorizeManifest(ctx, ext, strings.NewReader(tmplRel.Manifest), collectionVerbs, objectVerbs)
-	if err != nil {
-		return nil, "", fmt.Errorf("failed to authorize manifest: %w", err)
-	}
-	for _, r := range authzResults {
-		if !isAuthzResultAllowed(r) {
-			l.Info("authz result",
-				"attrs", r.Attrs,
-				"denied", r.Denied,
-				"error", r.Err,
-			)
+		ceServiceAccount := user.DefaultInfo{Name: fmt.Sprintf("system:serviceaccount:%s:%s", ext.Spec.Namespace, ext.Spec.ServiceAccount.Name)}
+		missingRules, err := h.PreAuthorizer.PreAuthorize(ctx, &ceServiceAccount, strings.NewReader(tmplRel.Manifest))
+
+		var preAuthErrors []error
+		if len(missingRules) > 0 {
+			ext.Status.MissingRules = missingRules
+			preAuthErrors = append(preAuthErrors, errors.New("service account lacks permission to manage cluster extension"))
 		}
-	}
-	for _, err := range escalationErrs {
 		if err != nil {
-			l.Info("escalation result failure",
-				"error", err,
-			)
+			preAuthErrors = append(preAuthErrors, fmt.Errorf("authorization evaluation error: %w", err))
+		}
+		if len(preAuthErrors) > 0 {
+			return nil, "", fmt.Errorf("pre-authorization failed: %v", preAuthErrors)
 		}
 	}
-	if err := processAuthzResults(ctx, authzResults, escalationErrs); err != nil {
-		return nil, "", fmt.Errorf("service account lacks the necessary permissions: %w", err)
+
+	ac, err := h.ActionClientGetter.ActionClientFor(ctx, ext)
+	if err != nil {
+		return nil, "", err
 	}
 
 	rel, desiredRel, state, err := h.getReleaseState(ac, ext, chrt, values, post)
@@ -164,7 +144,6 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 
 	switch state {
 	case StateNeedsInstall:
-		l.Info("installing extension")
 		rel, err = ac.Install(ext.GetName(), ext.Spec.Namespace, chrt, values, func(install *action.Install) error {
 			install.CreateNamespace = false
 			install.Labels = storageLabels
@@ -173,9 +152,7 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 		if err != nil {
 			return nil, state, err
 		}
-		l.Info("install succeeded", "revision", rel.Version, "status", rel.Info.Status)
 	case StateNeedsUpgrade:
-		l.Info("upgrading extension")
 		rel, err = ac.Upgrade(ext.GetName(), ext.Spec.Namespace, chrt, values, func(upgrade *action.Upgrade) error {
 			upgrade.MaxHistory = maxHelmReleaseHistory
 			upgrade.Labels = storageLabels
@@ -184,13 +161,10 @@ func (h *Helm) Apply(ctx context.Context, contentFS fs.FS, ext *ocv1.ClusterExte
 		if err != nil {
 			return nil, state, err
 		}
-		l.Info("upgrade succeeded", "revision", rel.Version, "status", rel.Info.Status)
 	case StateUnchanged:
-		l.Info("reconciling extension")
 		if err := ac.Reconcile(rel); err != nil {
 			return nil, state, err
 		}
-		l.Info("reconcile succeeded", "revision", rel.Version, "status", rel.Info.Status)
 	default:
 		return nil, state, fmt.Errorf("unexpected release state %q", state)
 	}
@@ -240,7 +214,7 @@ func (h *Helm) getReleaseState(cl helmclient.ActionInterface, ext *ocv1.ClusterE
 			return nil
 		}, helmclient.AppendInstallPostRenderer(post))
 		if err != nil {
-			return nil, nil, StateError, fmt.Errorf("dry-run install failed: %w", err)
+			return nil, nil, StateError, err
 		}
 		return nil, desiredRelease, StateNeedsInstall, nil
 	}
@@ -295,161 +269,3 @@ func (p *postrenderer) Run(renderedManifests *bytes.Buffer) (*bytes.Buffer, erro
 	}
 	return &buf, nil
 }
-
-type authorizationResult struct {
-	Attrs  authorizer.AttributesRecord
-	Denied bool
-	Reason string
-	Err    error
-}
-
-func (h *Helm) authorizeManifest(ctx context.Context, ext *ocv1.ClusterExtension, manifestReader io.Reader, collectionVerbs, objectVerbs []string) ([]authorizationResult, []error, error) {
-	var (
-		user = user.DefaultInfo{Name: fmt.Sprintf("system:serviceaccount:%s:%s", ext.Spec.Namespace, ext.Spec.ServiceAccount.Name)}
-
-		authorizationResults  []authorizationResult
-		escalationErrs        []error
-		groupVersionResources = map[schema.GroupVersionResource][]client.ObjectKey{}
-
-		clusterRoles        = map[client.ObjectKey]rbacv1.ClusterRole{}
-		roles               = map[client.ObjectKey]rbacv1.Role{}
-		clusterRoleBindings = map[client.ObjectKey]rbacv1.ClusterRoleBinding{}
-		roleBindings        = map[client.ObjectKey]rbacv1.RoleBinding{}
-	)
-
-	dec := apimachyaml.NewYAMLOrJSONDecoder(manifestReader, 1024)
-	for {
-		var uObj unstructured.Unstructured
-		err := dec.Decode(&uObj)
-		if errors.Is(err, io.EOF) {
-			break
-		}
-		if err != nil {
-			return nil, nil, err
-		}
-		gvk := uObj.GroupVersionKind()
-		restMapping, err := h.RestMapper.RESTMapping(gvk.GroupKind(), gvk.Version)
-		if err != nil {
-			return nil, nil, err
-		}
-
-		gvr := restMapping.Resource
-		groupVersionResources[gvr] = append(groupVersionResources[gvr], client.ObjectKeyFromObject(&uObj))
-
-		switch restMapping.Resource.GroupResource() {
-		case schema.GroupResource{Group: rbacv1.GroupName, Resource: "clusterroles"}:
-			obj := &rbacv1.ClusterRole{}
-			if err := runtime.DefaultUnstructuredConverter.FromUnstructured(uObj.UnstructuredContent(), obj); err != nil {
-				return nil, nil, err
-			}
-			clusterRoles[client.ObjectKeyFromObject(obj)] = *obj
-		case schema.GroupResource{Group: rbacv1.GroupName, Resource: "clusterrolebindings"}:
-			obj := &rbacv1.ClusterRoleBinding{}
-			if err := runtime.DefaultUnstructuredConverter.FromUnstructured(uObj.UnstructuredContent(), obj); err != nil {
-				return nil, nil, err
-			}
-			clusterRoleBindings[client.ObjectKeyFromObject(obj)] = *obj
-		case schema.GroupResource{Group: rbacv1.GroupName, Resource: "roles"}:
-			obj := &rbacv1.Role{}
-			if err := runtime.DefaultUnstructuredConverter.FromUnstructured(uObj.UnstructuredContent(), obj); err != nil {
-				return nil, nil, err
-			}
-			roles[client.ObjectKeyFromObject(obj)] = *obj
-		case schema.GroupResource{Group: rbacv1.GroupName, Resource: "rolebindings"}:
-			obj := &rbacv1.RoleBinding{}
-			if err := runtime.DefaultUnstructuredConverter.FromUnstructured(uObj.UnstructuredContent(), obj); err != nil {
-				return nil, nil, err
-			}
-			roleBindings[client.ObjectKeyFromObject(obj)] = *obj
-		}
-	}
-
-	var attributeRecords []authorizer.AttributesRecord
-	for gvr, keys := range groupVersionResources {
-		namespaces := sets.New[string]()
-		for _, k := range keys {
-			namespaces.Insert(k.Namespace)
-			for _, v := range objectVerbs {
-				attributeRecords = append(attributeRecords, authorizer.AttributesRecord{
-					User:            &user,
-					Namespace:       k.Namespace,
-					Name:            k.Name,
-					APIGroup:        gvr.Group,
-					APIVersion:      gvr.Version,
-					Resource:        gvr.Resource,
-					ResourceRequest: true,
-					Verb:            v,
-				})
-			}
-		}
-		for _, ns := range sets.List(namespaces) {
-			for _, v := range collectionVerbs {
-				attributeRecords = append(attributeRecords, authorizer.AttributesRecord{
-					User:            &user,
-					Namespace:       ns,
-					Name:            "",
-					APIGroup:        gvr.Group,
-					APIVersion:      gvr.Version,
-					Resource:        gvr.Resource,
-					ResourceRequest: true,
-					Verb:            v,
-				})
-			}
-		}
-	}
-
-	for _, attributeRecord := range attributeRecords {
-		decision, reason, err := h.Authorizer.Authorize(ctx, attributeRecord)
-		authorizationResults = append(authorizationResults, authorizationResult{
-			Attrs:  attributeRecord,
-			Denied: decision == authorizer.DecisionDeny,
-			Reason: reason,
-			Err:    err,
-		})
-	}
-
-	escalationChecker := authorization.EscalateChecker{
-		Authorizer:                h.Authorizer,
-		AuthorizationRuleResolver: h.RuleResolver,
-		ExtraClusterRoles:         clusterRoles,
-		ExtraRoles:                roles,
-	}
-
-	for obj := range maps.Values(clusterRoles) {
-		escalationErrs = append(escalationErrs, escalationChecker.CheckEscalation(ctx, user, &obj))
-	}
-	for obj := range maps.Values(roles) {
-		escalationErrs = append(escalationErrs, escalationChecker.CheckEscalation(ctx, user, &obj))
-	}
-	for obj := range maps.Values(clusterRoleBindings) {
-		escalationErrs = append(escalationErrs, escalationChecker.CheckEscalation(ctx, user, &obj))
-	}
-	for obj := range maps.Values(roleBindings) {
-		escalationErrs = append(escalationErrs, escalationChecker.CheckEscalation(ctx, user, &obj))
-	}
-	return authorizationResults, escalationErrs, nil
-}
-
-func isAuthzResultAllowed(authzResult authorizationResult) bool {
-	return authzResult.Err == nil && !authzResult.Denied
-}
-
-func processAuthzResults(ctx context.Context, authzResults []authorizationResult, escalationErrs []error) error {
-	unauthorizedAuthzResults := filter.Filter(authzResults, func(authzResult authorizationResult) bool {
-		return !isAuthzResultAllowed(authzResult)
-	})
-	unauthorizedEscalations := filter.Filter(escalationErrs, func(escalationErr error) bool {
-		return escalationErr != nil
-	})
-
-	var errs []error
-	if len(unauthorizedAuthzResults) > 0 {
-		log.FromContext(ctx).Info("unauthorized authzs", "deniedCount", len(unauthorizedAuthzResults), "totalCount", len(authzResults))
-		errs = append(errs, errors.New("unauthorized authzs"))
-	}
-	if len(unauthorizedEscalations) > 0 {
-		log.FromContext(ctx).Info("unauthorized escalation", "deniedCount", len(unauthorizedEscalations), "totalCount", len(escalationErrs))
-		errs = append(errs, errors.New("unauthorized escalations"))
-	}
-	return errors.Join(errs...)
-}

config/samples/olm_v1_clusterextension.yaml

@@ -13,14 +13,12 @@ import (
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/release"
 	"helm.sh/helm/v3/pkg/storage/driver"
-	featuregatetesting "k8s.io/component-base/featuregate/testing"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	helmclient "github.com/operator-framework/helm-operator-plugins/pkg/client"
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/features"
 )
 
 type mockPreflight struct {
@@ -228,71 +226,6 @@ func TestApply_Installation(t *testing.T) {
 	})
 }
 
-func TestApply_InstallationWithPreflightPermissionsEnabled(t *testing.T) {
-	featuregatetesting.SetFeatureGateDuringTest(t, features.OperatorControllerFeatureGate, features.PreflightPermissions, true)
-
-	t.Run("fails during dry-run installation", func(t *testing.T) {
-		mockAcg := &mockActionGetter{
-			getClientErr:     driver.ErrReleaseNotFound,
-			dryRunInstallErr: errors.New("failed attempting to dry-run install chart"),
-		}
-		helmApplier := applier.Helm{ActionClientGetter: mockAcg}
-
-		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
-		require.Error(t, err)
-		require.ErrorContains(t, err, "attempting to dry-run install chart")
-		require.Nil(t, objs)
-		require.Empty(t, state)
-	})
-
-	t.Run("fails during pre-flight installation", func(t *testing.T) {
-		mockAcg := &mockActionGetter{
-			getClientErr: driver.ErrReleaseNotFound,
-			installErr:   errors.New("failed installing chart"),
-		}
-		mockPf := &mockPreflight{installErr: errors.New("failed during install pre-flight check")}
-		helmApplier := applier.Helm{ActionClientGetter: mockAcg, Preflights: []applier.Preflight{mockPf}}
-
-		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
-		require.Error(t, err)
-		require.ErrorContains(t, err, "install pre-flight check")
-		require.Equal(t, applier.StateNeedsInstall, state)
-		require.Nil(t, objs)
-	})
-
-	t.Run("fails during installation", func(t *testing.T) {
-		mockAcg := &mockActionGetter{
-			getClientErr: driver.ErrReleaseNotFound,
-			installErr:   errors.New("failed installing chart"),
-		}
-		helmApplier := applier.Helm{ActionClientGetter: mockAcg}
-
-		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
-		require.Error(t, err)
-		require.ErrorContains(t, err, "installing chart")
-		require.Equal(t, applier.StateNeedsInstall, state)
-		require.Nil(t, objs)
-	})
-
-	t.Run("successful installation", func(t *testing.T) {
-		mockAcg := &mockActionGetter{
-			getClientErr: driver.ErrReleaseNotFound,
-			desiredRel: &release.Release{
-				Info:     &release.Info{Status: release.StatusDeployed},
-				Manifest: validManifest,
-			},
-		}
-		helmApplier := applier.Helm{ActionClientGetter: mockAcg}
-
-		objs, state, err := helmApplier.Apply(context.TODO(), validFS, testCE, testObjectLabels, testStorageLabels)
-		require.NoError(t, err)
-		require.Equal(t, applier.StateNeedsInstall, state)
-		require.NotNil(t, objs)
-		assert.Equal(t, "service-a", objs[0].GetName())
-		assert.Equal(t, "service-b", objs[1].GetName())
-	})
-}
-
 func TestApply_Upgrade(t *testing.T) {
 	testCurrentRelease := &release.Release{
 		Info: &release.Info{Status: release.StatusDeployed},

config/samples/xx_olm_v1_clusterextension.yaml

@@ -19,14 +19,13 @@ package rbac
 import (
 	"context"
 	"fmt"
+	rbac2 "github.com/operator-framework/operator-controller/internal/operator-controller/authorization/internal/kubernetes/pkg/apis/rbac"
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
-
-	"github.com/operator-framework/operator-controller/kubernetes/pkg/apis/rbac"
 )
 
 // EscalationAllowed checks if the user associated with the context is a superuser
@@ -48,8 +47,8 @@ func EscalationAllowed(ctx context.Context) bool {
 }
 
 var roleResources = map[schema.GroupResource]bool{
-	rbac.SchemeGroupVersion.WithResource("clusterroles").GroupResource(): true,
-	rbac.SchemeGroupVersion.WithResource("roles").GroupResource():        true,
+	rbac2.SchemeGroupVersion.WithResource("clusterroles").GroupResource(): true,
+	rbac2.SchemeGroupVersion.WithResource("roles").GroupResource():        true,
 }
 
 // RoleEscalationAuthorized checks if the user associated with the context is explicitly authorized to escalate the role resource associated with the context
@@ -99,7 +98,7 @@ func RoleEscalationAuthorized(ctx context.Context, a authorizer.Authorizer) bool
 }
 
 // BindingAuthorized returns true if the user associated with the context is explicitly authorized to bind the specified roleRef
-func BindingAuthorized(ctx context.Context, roleRef rbac.RoleRef, bindingNamespace string, a authorizer.Authorizer) bool {
+func BindingAuthorized(ctx context.Context, roleRef rbac2.RoleRef, bindingNamespace string, a authorizer.Authorizer) bool {
 	if a == nil {
 		return false
 	}

docs/api-reference/operator-controller-api-reference.md

@@ -21,11 +21,11 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	rbacv1helpers "github.com/operator-framework/operator-controller/internal/operator-controller/authorization/internal/kubernetes/pkg/apis/rbac/v1"
+	rbacregistryvalidation "github.com/operator-framework/operator-controller/internal/operator-controller/authorization/internal/kubernetes/pkg/registry/rbac/validation"
 
 	"k8s.io/klog/v2"
 
-	rbacv1helpers "github.com/operator-framework/operator-controller/kubernetes/pkg/apis/rbac/v1"
-	rbacregistryvalidation "github.com/operator-framework/operator-controller/kubernetes/pkg/registry/rbac/validation"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"

internal/operator-controller/applier/helm.go

@@ -20,6 +20,7 @@ import (
 	"reflect"
 
 	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 type simpleResource struct {
@@ -54,6 +55,13 @@ func CompactRules(rules []rbacv1.PolicyRule) ([]rbacv1.PolicyRule, error) {
 
 	// Once we've consolidated the simple resource rules, add them to the compacted list
 	for _, simpleRule := range simpleRules {
+		verbSet := sets.New[string](simpleRule.Verbs...)
+		if verbSet.Has("*") {
+			simpleRule.Verbs = []string{"*"}
+		} else {
+			simpleRule.Verbs = sets.List(verbSet)
+		}
+
 		compacted = append(compacted, *simpleRule)
 	}
 

internal/operator-controller/applier/helm_test.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	rbacv1helpers "github.com/operator-framework/operator-controller/internal/operator-controller/authorization/internal/kubernetes/pkg/apis/rbac/v1"
 	"strings"
 
 	rbacv1 "k8s.io/api/rbac/v1"
@@ -30,8 +31,6 @@ import (
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/component-helpers/auth/rbac/validation"
 	"k8s.io/klog/v2"
-
-	rbacv1helpers "github.com/operator-framework/operator-controller/kubernetes/pkg/apis/rbac/v1"
 )
 
 type AuthorizationRuleResolver interface {
@@ -49,6 +48,27 @@ type AuthorizationRuleResolver interface {
 	VisitRulesFor(ctx context.Context, user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbacv1.PolicyRule, err error) bool)
 }
 
+type PrivilegeEscalationError struct {
+	User                 user.Info
+	Namespace            string
+	MissingRules         []rbacv1.PolicyRule
+	RuleResolutionErrors []error
+}
+
+func (e *PrivilegeEscalationError) Error() string {
+	missingDescriptions := sets.NewString()
+	for _, missing := range e.MissingRules {
+		missingDescriptions.Insert(rbacv1helpers.CompactString(missing))
+	}
+
+	msg := fmt.Sprintf("user %q (groups=%q) is attempting to grant RBAC permissions not currently held:\n%s", e.User.GetName(), e.User.GetGroups(), strings.Join(missingDescriptions.List(), "\n"))
+	if len(e.RuleResolutionErrors) > 0 {
+		msg = msg + fmt.Sprintf("; resolution errors: %v", e.RuleResolutionErrors)
+	}
+
+	return msg
+}
+
 // ConfirmNoEscalation determines if the roles for a given user in a given namespace encompass the provided role.
 func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleResolver, rules []rbacv1.PolicyRule) error {
 	ruleResolutionErrors := []error{}
@@ -73,17 +93,12 @@ func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleReso
 			compactMissingRights = compact
 		}
 
-		missingDescriptions := sets.NewString()
-		for _, missing := range compactMissingRights {
-			missingDescriptions.Insert(rbacv1helpers.CompactString(missing))
+		return &PrivilegeEscalationError{
+			User:                 user,
+			Namespace:            namespace,
+			MissingRules:         compactMissingRights,
+			RuleResolutionErrors: ruleResolutionErrors,
 		}
-
-		msg := fmt.Sprintf("user %q (groups=%q) is attempting to grant RBAC permissions not currently held:\n%s", user.GetName(), user.GetGroups(), strings.Join(missingDescriptions.List(), "\n"))
-		if len(ruleResolutionErrors) > 0 {
-			msg = msg + fmt.Sprintf("; resolution errors: %v", ruleResolutionErrors)
-		}
-
-		return errors.New(msg)
 	}
 	return nil
 }