operator-framework · openshift-merge-robot · Mar 19, 2019 · Mar 18, 2019 · Mar 19, 2019 · Mar 19, 2019
diff --git a/Makefile b/Makefile
@@ -99,7 +99,6 @@ container:
 clean-e2e:
 	kubectl delete crds --all
 	kubectl delete apiservices.apiregistration.k8s.io v1alpha1.packages.apps.redhat.com || true
-	for i in {1..40}; do kubectl delete namespace "ns-$i" || true; done
 	kubectl delete -f test/e2e/resources/0000_50_olm_00-namespace.yaml
 
 clean:

diff --git a/pkg/controller/operators/olm/operator_test.go b/pkg/controller/operators/olm/operator_test.go
@@ -3362,7 +3362,11 @@ func TestSyncOperatorGroups(t *testing.T) {
 								"olm.owner.kind":      "ClusterServiceVersion",
 							},
 						},
-						Rules: permissions[0].Rules,
+						Rules: append(permissions[0].Rules, rbacv1.PolicyRule{
+							Verbs:     ViewVerbs,
+							APIGroups: []string{corev1.GroupName},
+							Resources: []string{"namespaces"},
+						}),
 					},
 					&rbacv1.ClusterRoleBinding{
 						TypeMeta: metav1.TypeMeta{
@@ -3475,7 +3479,11 @@ func TestSyncOperatorGroups(t *testing.T) {
 								"olm.owner.kind":      "ClusterServiceVersion",
 							},
 						},
-						Rules: permissions[0].Rules,
+						Rules: append(permissions[0].Rules, rbacv1.PolicyRule{
+							Verbs:     ViewVerbs,
+							APIGroups: []string{corev1.GroupName},
+							Resources: []string{"namespaces"},
+						}),
 					},
 					&rbacv1.ClusterRoleBinding{
 						TypeMeta: metav1.TypeMeta{

diff --git a/pkg/controller/operators/olm/operatorgroup.go b/pkg/controller/operators/olm/operatorgroup.go
@@ -359,7 +359,11 @@ func (a *Operator) ensureSingletonRBAC(operatorNamespace string, csv *v1alpha1.C
 					Name:   r.GetName(),
 					Labels: r.GetLabels(),
 				},
-				Rules: r.Rules,
+				Rules: append(r.Rules, rbacv1.PolicyRule{
+					Verbs:     ViewVerbs,
+					APIGroups: []string{corev1.GroupName},
+					Resources: []string{"namespaces"},
+				}),
 			}
 			if _, err := a.OpClient.CreateClusterRole(clusterRole); err != nil {
 				return err

diff --git a/scripts/build_local.sh b/scripts/build_local.sh
@@ -14,7 +14,7 @@ docker build -f upstream.Dockerfile .
 docker tag $(docker images --filter 'label=stage=olm' --format '{{.CreatedAt}}\t{{.ID}}' | sort -nr | head -n 1 | cut -f2) quay.io/operator-framework/olm:local
 docker tag $(docker images --filter 'label=stage=builder' --format '{{.CreatedAt}}\t{{.ID}}' | sort -nr | head -n 1 | cut -f2) quay.io/operator-framework/olm-e2e:local
 
-for i in {1..40}
-do
-	kubectl create namespace "ns-$i" || true
-done
+if [ -x "$(command -v kind)" ]; then
+  kind load docker-image quay.io/operator-framework/olm:local
+  kind load docker-image quay.io/operator-framework/olm-e2e:local
+fi
diff --git a/test/e2e/operator_groups_e2e_test.go b/test/e2e/operator_groups_e2e_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
+	"k8s.io/api/authorization/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
@@ -1262,7 +1263,11 @@ func TestCSVCopyWatchingAllNamespaces(t *testing.T) {
 		}
 		return true, nil
 	})
-	require.EqualValues(t, role.Rules, fetchedRole.Rules)
+	require.EqualValues(t, append(role.Rules, rbacv1.PolicyRule{
+		Verbs:     []string{"get", "list", "watch"},
+		APIGroups: []string{""},
+		Resources: []string{"namespaces"},
+	}), fetchedRole.Rules)
 	var fetchedRoleBinding *rbacv1.ClusterRoleBinding
 	err = wait.Poll(pollInterval, pollDuration, func() (bool, error) {
 		fetchedRoleBinding, err = c.GetClusterRoleBinding(roleBinding.GetName())
@@ -1279,6 +1284,21 @@ func TestCSVCopyWatchingAllNamespaces(t *testing.T) {
 	require.EqualValues(t, "rbac.authorization.k8s.io", fetchedRoleBinding.RoleRef.APIGroup)
 	require.EqualValues(t, "ClusterRole", fetchedRoleBinding.RoleRef.Kind)
 
+	t.Log("ensure operator was granted namespace list permission")
+	res, err := c.KubernetesInterface().AuthorizationV1().SubjectAccessReviews().Create(&v1.SubjectAccessReview{
+		Spec: v1.SubjectAccessReviewSpec{
+			User: "system:serviceaccount:" + opGroupNamespace + ":" + serviceAccountName,
+			ResourceAttributes: &v1.ResourceAttributes{
+				Group:    corev1.GroupName,
+				Version:  "v1",
+				Resource: "namespaces",
+				Verb:     "list",
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.True(t, res.Status.Allowed, "got %#v", res.Status)
+
 	t.Log("Waiting for operator namespace csv to have annotations")
 	err = wait.Poll(pollInterval, pollDuration, func() (bool, error) {
 		fetchedCSV, fetchErr := crc.OperatorsV1alpha1().ClusterServiceVersions(opGroupNamespace).Get(csvName, metav1.GetOptions{})