|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * extensions/ce/olmv1-installing-an-operator-from-a-catalog.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: REFERENCE |
| 6 | + |
| 7 | +[id="olmv1-troubleshooting-rbac-errors-with-preflight-check_{context}"] |
| 8 | += Preflight permissions check for cluster extensions (Technology Preview) |
| 9 | + |
| 10 | +When you try to install an extension, the Operator Controller performs a dry run of the installation process. This dry run verifies that the specified service account can perform all the actions required to install the extension. This includes creating all the Kubernetes objects in the bundle and the role-based access control (RBAC) rules for the roles and bindings defined by the bundle. |
| 11 | + |
| 12 | +:FeatureName: The preflight permissions check for cluster extensions |
| 13 | +include::snippets/technology-preview.adoc[] |
| 14 | + |
| 15 | +If the service account is missing any required RBAC rules, the preflight check fails before the actual installation proceeds. If the preflight check fails, the Operator Controller reports the errors in the status conditions of the extension and in the logs of the Operator Controller. |
| 16 | + |
| 17 | +To proceed with the installation, update the roles and bindings to grant the missing permissions to the service account and apply the changes. If there are no errors, the Operator Controller reconciles the updated permissions and completes the installation. |
| 18 | + |
| 19 | +[id="olmv1-preflight-permissions-check-output_{context}"] |
| 20 | +== Example report from the preflight permissions check |
| 21 | + |
| 22 | +The following report indicates that the service account requires the following missing permissions: |
| 23 | + |
| 24 | +* RBAC rules to perform `list` and `watch` actions for the `services` resource in the core API group for the entire cluster |
| 25 | +* RBAC rules to perform `create` actions for `deployments` resources in the `apps` API group for the `pipelines` namespace |
| 26 | + |
| 27 | +You can access the reports from the preflight permissions check in the status conditions of the cluster extension. The `oc describe clusterextension` command prints information about a cluster extension, including the status conditions. |
| 28 | + |
| 29 | +.Example command |
| 30 | +[source,terminal] |
| 31 | +---- |
| 32 | +$ oc describe clusterextension <extension_name> |
| 33 | +---- |
| 34 | + |
| 35 | +.Example report |
| 36 | +[source,text] |
| 37 | +---- |
| 38 | +apiVersion: v1 |
| 39 | +items: |
| 40 | +- apiVersion: olm.operatorframework.io/v1 |
| 41 | + kind: ClusterExtension |
| 42 | +... |
| 43 | +Conditions: |
| 44 | + Type: Progressing |
| 45 | + Status: False |
| 46 | + Reason: Retrying |
| 47 | + Message: pre-authorization failed: service account requires the following permissions to manage cluster extension: |
| 48 | + Namespace:"" APIGroups:[] Resources:[services] Verbs:[list,watch] |
| 49 | + Namespace:"pipelines" APIGroups:["apps"] Resources:[deployments] Verbs:[create] |
| 50 | +---- |
| 51 | + |
| 52 | +`Namespace`:: Specifies the scope of the required RBAC rules at the namespace level, for example the `pipelines` namespace. An empty namespace value, `""`, indicates that you must scope the permission to the cluster. |
| 53 | + |
| 54 | +`APIGroups`:: Specifies the name of the API group the required permissions apply to. An empty value in the API group, `[]`, indicates the permissions apply to the core API group. For example, services, secrets, and config maps are all core resources. |
| 55 | ++ |
| 56 | +If a resource belongs to a named API group, the report lists the name in between the brackets. For example, the value of `APIGroups:[apps]` indicates the extension requires RBAC rules to act on resources in the `apps` API group. |
| 57 | + |
| 58 | +`Resources`:: Specifies the resource types that require permissions. For example, services, secrets, and custom resource definitions are common resource types. |
| 59 | + |
| 60 | +`Verbs`:: Specifies the actions, or _verbs_, that the service account needs permission to perform. If the report lists several verbs, all of the listed verbs require RBAC rules. |
| 61 | + |
| 62 | +[id="olmv1-common-rbac-errors_{context}"] |
| 63 | +== Common permission errors |
| 64 | + |
| 65 | +Missing verbs:: The service account does not have permission to perform a required action. To resolve this issue, update or create a role and binding to grant the necessary permissions. Roles and role bindings define resource permissions for a namespace. Cluster roles and cluster role bindings define resource permissions for the cluster. |
| 66 | + |
| 67 | +Privilege escalation:: The service account does not have enough permission to create a role or cluster role that the extension needs. When this happens, the preflight check reports the verbs as missing to prevent privilege escalation. To resolve this issue, grant enough permission to the service account so that it can create the roles. |
| 68 | + |
| 69 | +Missing role references:: The extension references a role or cluster role that the Operator Controller cannot find. When this happens, the preflight check lists the missing role and reports an `authorization evalutation error`. To resolve the issue, create or update the roles and cluster roles to ensure that all role references exist. |
0 commit comments