⚠ Single-tenant simplification: remove deprecated features and simplify operator model

Implement the single-tenant simplification design to re-affirm OLM v1's
cluster-admin-only operational model.

Changes across work items:
- 01-cluster-admin: Grant operator-controller cluster-admin ClusterRole
  (remove custom RBAC rules)
- 02-deprecate-service-account: Mark spec.serviceAccount as deprecated
  and optional; remove from docs/examples/tooling
- 03-remove-preflight-permissions: Remove PreflightPermissions feature
  gate and RBAC pre-authorization code
- 04-remove-synthetic-permissions: Remove SyntheticPermissions feature
  gate and synthetic user/group authentication
- 07-simplify-contentmanager: Remove per-extension REST config and use
  shared manager client for content management
- 09-documentation: Resolve merge conflicts, add cleanup tracking

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: joelanford

Makefile

@@ -153,10 +153,6 @@ lint-custom: custom-linter-build #EXHELP Call custom linter for the project
 lint-api-diff: $(GOLANGCI_LINT) #HELP Validate API changes using kube-api-linter with diff-aware analysis
 	hack/api-lint-diff/run.sh
 
-.PHONY: k8s-pin
-k8s-pin: #EXHELP Pin k8s staging modules based on k8s.io/kubernetes version (in go.mod or from K8S_IO_K8S_VERSION env var) and run go mod tidy.
-	K8S_IO_K8S_VERSION='$(K8S_IO_K8S_VERSION)' go run hack/tools/k8smaintainer/main.go
-
 .PHONY: tidy #HELP Run go mod tidy.
 tidy:
 	go mod tidy
@@ -204,7 +200,7 @@ generate: $(CONTROLLER_GEN) #EXHELP Generate code containing DeepCopy, DeepCopyI
 	$(CONTROLLER_GEN) --load-build-tags=$(GO_BUILD_TAGS) object:headerFile="hack/boilerplate.go.txt" paths="./..."
 
 .PHONY: verify
-verify: k8s-pin kind-verify-versions fmt generate manifests update-tls-profiles crd-ref-docs update-registryv1-bundle-schema verify-bingo #HELP Verify all generated code is up-to-date. Runs k8s-pin instead of just tidy.
+verify: tidy kind-verify-versions fmt generate manifests update-tls-profiles crd-ref-docs update-registryv1-bundle-schema verify-bingo #HELP Verify all generated code is up-to-date.
 	git diff --exit-code
 
 .PHONY: verify-bingo

cmd/operator-controller/main.go

@@ -59,7 +59,6 @@ import (
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/action"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/applier"
-	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/cache"
 	catalogclient "github.com/operator-framework/operator-controller/internal/operator-controller/catalogmetadata/client"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/contentmanager"
@@ -598,12 +597,6 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 		return err
 	}
 
-	// determine if PreAuthorizer should be enabled based on feature gate
-	var preAuth authorization.PreAuthorizer
-	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-		preAuth = authorization.NewRBACPreAuthorizer(c.mgr.GetClient())
-	}
-
 	// TODO: better scheme handling - which types do we want to support?
 	_ = apiextensionsv1.AddToScheme(c.mgr.GetScheme())
 	rg := &applier.SimpleRevisionGenerator{
@@ -616,7 +609,6 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 		Scheme:            c.mgr.GetScheme(),
 		RevisionGenerator: rg,
 		Preflights:        c.preflights,
-		PreAuthorizer:     preAuth,
 		FieldOwner:        fieldOwner,
 	}
 	revisionStatesGetter := &controllers.BoxcutterRevisionStatesGetter{Reader: c.mgr.GetClient()}
@@ -701,17 +693,6 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 		return fmt.Errorf("unable to create helm action client getter: %w", err)
 	}
 
-	// determine if PreAuthorizer should be enabled based on feature gate
-	var preAuth authorization.PreAuthorizer
-	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-		preAuth = authorization.NewRBACPreAuthorizer(
-			c.mgr.GetClient(),
-			// Additional verbs / bundle manifest that are expected by the content manager to watch those resources
-			authorization.WithClusterCollectionVerbs("list", "watch"),
-			authorization.WithNamespacedCollectionVerbs("create"),
-		)
-	}
-
 	cm, err := contentmanager.NewManager(c.mgr.GetConfig(), c.mgr.GetRESTMapper())
 	if err != nil {
 		setupLog.Error(err, "unable to create content manager")
@@ -726,15 +707,13 @@ func (c *helmReconcilerConfigurator) Configure(ceReconciler *controllers.Cluster
 		return err
 	}
 
-	// now initialize the helmApplier, assigning the potentially nil preAuth
 	appl := &applier.Helm{
 		ActionClientGetter: acg,
 		Preflights:         c.preflights,
 		HelmChartProvider: &applier.RegistryV1HelmChartProvider{
 			ManifestProvider: c.regv1ManifestProvider,
 		},
 		HelmReleaseToObjectsConverter: &applier.HelmReleaseToObjectsConverter{},
-		PreAuthorizer:                 preAuth,
 		Watcher:                       c.watcher,
 		Manager:                       cm,
 	}

docs/concepts/permission-model.md

@@ -1,34 +1,23 @@
 #### OLMv1 Permission Model
 
-> **Deprecated:** The permission model described below is no longer accurate.
-> operator-controller now runs with cluster-admin privileges and uses its own ServiceAccount
-> for all extension lifecycle operations. The `spec.serviceAccount` field on ClusterExtension
-> is deprecated and ignored.
+OLM v1's permission model is built on a simple principle: **operator-controller runs as cluster-admin**, and the security boundary is defined by who can create and modify `ClusterExtension` and `ClusterCatalog` resources.
 
-Here we aim to describe the OLMv1 permission model. OLMv1 itself does not have cluster-wide admin permissions. Therefore, each cluster extension must specify a service account with sufficient permissions to install and manage it. While this service account is distinct from any service account defined in the bundle, it will need sufficient privileges to create and assign the required RBAC. Therefore, the cluster extension service account's privileges would be a superset of the privileges required by the service account in the bundle.
+#### How It Works
 
-To understand the permission model, lets see the scope of the the service accounts associated with ClusterExtension deployment:
+1. **operator-controller** runs with `cluster-admin` privileges, giving it full authority to install and manage extension lifecycle resources (CRDs, Deployments, RBAC, etc.) on behalf of `ClusterExtension` objects.
+2. **Security is enforced via RBAC on the OLM APIs themselves.** Only cluster administrators should have `create`, `update`, or `delete` permissions on `ClusterExtension` and `ClusterCatalog` resources.
+3. **Creating a `ClusterExtension` is equivalent to having cluster-admin privileges**, because it instructs operator-controller to install arbitrary workloads and RBAC. Cluster administrators must not grant non-admin users write access to these APIs.
 
-#### Service Account associated with the ClusterExtension CR
+#### Security Considerations
 
-1) The ClusterExtension CR defines a service account to deploy and manage the ClusterExtension lifecycle and can be derived using the [document](../howto/derive-service-account.md). It is specified in the ClusterExtension [yaml](../tutorials/install-extension#L71) while deploying a ClusterExtension.
-2) The purpose of the service account specified in the ClusterExtension spec is to manage the cluster extension lifecycle. Its permissions are the cumulative of the permissions required for managing the cluster extension lifecycle and any RBAC that maybe included in the extension bundle.
-3) Since the extension bundle contains its own RBAC, it means the ClusterExtension service account requires either:
-- the same set of permissions that are defined in the RBAC that it is trying to create.
-- bind/escalate verbs for RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping
+!!! warning
+    `ClusterExtension` and `ClusterCatalog` are **cluster-admin-only APIs**. Granting non-admin users
+    `create`, `update`, or `delete` access on these resources is equivalent to granting them cluster-admin
+    privileges.
 
-#### Service Account/(s) part of the Extension Bundle
-1) The contents of the extension bundle may contain more service accounts and RBAC.
-2) The OLMv1 operator-controller creates the service account/(s) defined as part of the extension bundle with the required RBAC for the controller business logic.
+- Cluster admins must audit RBAC to ensure only trusted users can manage `ClusterExtension` and `ClusterCatalog` resources.
+- The rationale for this model is explained in the [Design Decisions](../project/olmv1_design_decisions.md) document.
 
-##### Example:
+#### Extension Resources
 
-Lets consider deployment of the ArgoCD operator. The ClusterExtension ClusterResource specifies a service account as part of its spec, usually denoted as the ClusterExtension installer service account. 
-The ArgoCD operator specifies the `argocd-operator-controller-manager` [service account](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml#L1124) with necessary RBAC for the bundle resources and OLMv1 creates it as part of this extension bundle deployment.
-
-The extension bundle CSV contains the [permissions](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml#L1091) and [cluster permissions](https://github.com/argoproj-labs/argocd-operator/blob/da6b8a7e68f71920de9545152714b9066990fc4b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml#L872) allow the operator to manage and run the controller logic. These permissions are assigned to the `argocd-operator-controller-manager` service account when the operator bundle is deployed.
-
-OLM v1 will assign all the RBAC specified in the extension bundle to the above service account.
-The ClusterExtension installer service account will need all the RBAC specified for the `argocd-operator-controller-manager` and additional RBAC for deploying the ClusterExtension.
-
-**Note**: The ClusterExtension permissions are not propogated to the deployment. The ClusterExtension service account and the bundle's service accounts have different purposes and naming conflicts between the two service accounts can lead to failure of ClusterExtension deployment.
+operator-controller installs and manages all resources declared in an extension's bundle, including any ServiceAccounts, RBAC, Deployments, and other Kubernetes objects. These resources are distinct from operator-controller's own service account and are scoped to whatever the bundle declares.

docs/draft/howto/configure-bundles.md

@@ -147,6 +147,8 @@ metadata:
 spec:
   namespace: operators
   # No config provided = Operator watches the entire cluster (AllNamespaces)
+  serviceAccount:
+    name: global-operator-installer
   source:
     sourceType: Catalog
     catalog: