Summary
When you install an operator with OLM v0, OLM adds the operator’s provided APIs to the admin/edit/view roles for all namespaces. This means that any user with admin, edit, or view permission in any namespace has access to the operator’s APIs, and there is no way to change this.
Users have asked for a finer-grained permissions configuration for operator APIs. In addition to continuing to support the v0 model described above, v1 gives you more flexibility with new options:
- No permission management of any kind; RBAC configuration is left to the user managing the operator (likely an admin).
- Configure access in specific namespaces by name and/or label selector
- Configure admin/edit/view access for specific users and/or groups
- Configure custom permissions for specific users and/or groups
- Configure access to all operator-provided APIs, or a specific subset
Design Docs
Task List
Summary
When you install an operator with OLM v0, OLM adds the operator’s provided APIs to the admin/edit/view roles for all namespaces. This means that any user with admin, edit, or view permission in any namespace has access to the operator’s APIs, and there is no way to change this.
Users have asked for a finer-grained permissions configuration for operator APIs. In addition to continuing to support the v0 model described above, v1 gives you more flexibility with new options:
Design Docs
Task List