From 3e9a5f32165c29aa3bbd2151c294465cc08b8ee5 Mon Sep 17 00:00:00 2001 From: Matt Dorn Date: Tue, 25 Sep 2018 12:18:50 -0500 Subject: [PATCH] refine cluster-admin OLM workflow --- Documentation/design/access-control.md | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/Documentation/design/access-control.md b/Documentation/design/access-control.md index 73d6dc543d..4ca8fcf9e0 100644 --- a/Documentation/design/access-control.md +++ b/Documentation/design/access-control.md @@ -27,17 +27,12 @@ As you can see, no cluster permissions are needed. ## Cluster Admins -Cluster admins have the ability to provide a selection of Operators for use on the cluster. These Operators are described in a Cluster Service Version (CSV) file. Upon installation, the OLM software parses the CSV to create the cluster wide resources needed for safe operation: +Cluster admins have the ability to provide a selection of Operators for use on the cluster. These Operators are described in a Cluster Service Version (CSV) file which resides in a CatalogSource (along with the Operator's CRD and package manifests). The cluster admin can now select the teams and namespaces that can use this particular Operator, by creating a Subscription object, which will trigger the creation of an InstallPlan that points to a specific CatalogSource. Once the InstallPlan is approved, the OLM software is responsible for parsing the CatalogSource and performing the following: -1. Create Role contained in the CSV -1. Create the Custom Resource Definition contained in the CSV - -The cluster admin can now select the teams and namespaces that can use this particular Operator, by creating a Subscription object, which will trigger the installation of the Operator: - -1. Create Service Account for Operator -1. Create minimal Role for the Operator -1. Create Role Binding for Role and Service Account 1. Create the Custom Resource Definition +1. Create Service Account for Operator +1. Create minimal Role or ClusterRole for the Operator +1. Create Role or ClusterRoleBinding for Role or ClusterRole and Service Account 1. Create Operator Deployment, referencing the Service Account Once a namespace is created, the end-users now have the ability to create instances of the Custom Resource in a self-service manner (see above). OLM also has the ability to control automatic updates of the Operators running in namespaces. See the [architecture][arch] for more details.