[WIP] Check if operator is installed with privileged rights

.gitignore

@@ -16,6 +16,8 @@
 /tools/cluster-api
 /tools/airgapped_kind/kind_node/node.tar.gz
 /tools/dockerd-manifest.yml
+/tools/olm/
+/tools/operator_sdk/
 admin.conf
 cnf-testsuite
 results.yml

embedded_files/points.yml

@@ -107,6 +107,8 @@
   tags: configuration, static, workload
 - name: operator_installed
   tags: configuration, dynamic, workload, cert, bonus
+- name: operator_privileged
+  tags: configuration, dynamic, workload, cert, bonus
 - name: liveness
   tags: resilience, dynamic, workload, essential, cert
   pass: 100

sample-cnfs/sample_privileged_operator/chart/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: simple-privileged-operator
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: 0.0.1

sample-cnfs/sample_privileged_operator/chart/templates/simple_priv_operator_subscription.yaml

@@ -0,0 +1,11 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: simple-privileged-operator
+  namespace: default
+spec:
+  channel: alpha
+  installPlanApproval: Automatic
+  name: simple-privileged-operator
+  source: localhost:5001
+  sourceNamespace: simple-privileged-operator

sample-cnfs/sample_privileged_operator/chart/values.yaml

@@ -0,0 +1,3 @@
+# Default values for simple-operator.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.

sample-cnfs/sample_privileged_operator/cnf-testsuite.yml

@@ -0,0 +1,4 @@
+---
+release_name: simple-privileged-operator
+helm_directory: chart
+helm_install_namespace: simple-privileged-operator

sample-cnfs/sample_privileged_operator/opm_bundle/bundle.Dockerfile

@@ -0,0 +1,15 @@
+FROM scratch
+
+# Core bundle labels.
+LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
+LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
+LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
+LABEL operators.operatorframework.io.bundle.package.v1=simple-privileged-operator
+LABEL operators.operatorframework.io.bundle.channels.v1=alpha
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.0-ocp
+LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
+LABEL operators.operatorframework.io.metrics.project_layout=unknown
+
+# Copy files to locations specified by labels.
+COPY /manifests /manifests/
+COPY /metadata /metadata/

sample-cnfs/sample_privileged_operator/opm_bundle/manifests/operator.tld_simples.yaml

@@ -0,0 +1,35 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  creationTimestamp: null
+  name: simples.operator.tld
+spec:
+  group: operator.tld
+  names:
+    kind: Simple
+    plural: simples
+    shortNames:
+    - sim
+    singular: simple
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              image:
+                type: string
+              replicas:
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null

sample-cnfs/sample_privileged_operator/opm_bundle/manifests/simple-privileged-operator-role_rbac.authorization.k8s.io_v1_role.yaml

@@ -0,0 +1,27 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: simple-privileged-operator-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - '*'

sample-cnfs/sample_privileged_operator/opm_bundle/manifests/simple-privileged-operator-rolebinding_rbac.authorization.k8s.io_v1_rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: simple-privileged-operator-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: simple-privileged-operator-role
+subjects:
+- kind: ServiceAccount
+  name: simple-privileged-operator
+  namespace: simple-privileged-operator

sample-cnfs/sample_privileged_operator/opm_bundle/manifests/simple-privileged-operator.clusterserviceversion.yaml

@@ -0,0 +1,92 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: ClusterServiceVersion
+metadata:
+  annotations:
+    alm-examples: '[]'
+    capabilities: Basic Install
+    createdAt: "2023-10-09T20:58:19Z"
+    operators.operatorframework.io/builder: operator-sdk-v1.28.0-ocp
+    operators.operatorframework.io/project_layout: unknown
+  name: simple-privileged-operator.v0.0.0
+  namespace: simple-privileged-operator
+spec:
+  apiservicedefinitions: {}
+  customresourcedefinitions:
+    owned:
+    - kind: Simple
+      name: simples.operator.tld
+      version: v1alpha1
+  description: Simple Privileged Operator description. TODO.
+  displayName: Simple Privileged Operator
+  icon:
+  - base64data: ""
+    mediatype: ""
+  installModes:
+  - type: OwnNamespace
+    supported: true
+  - type: SingleNamespace
+    supported: false
+  - type: MultiNamespace
+    supported: false
+  - type: AllNamespaces
+    supported: false
+  install:
+    strategy: deployment
+    spec:
+      permissions:
+      - serviceAccountName: simple-privileged-operator
+        rules:
+        - apiGroups:
+          - ""
+          resources:
+          - pods
+          - services
+          - endpoints
+          - persistentvolumeclaims
+          - events
+          - configmaps
+          - secrets
+          verbs:
+          - '*'
+        - apiGroups:
+          - apps
+          resources:
+          - deployments
+          - daemonsets
+          - replicasets
+          - statefulsets
+          verbs:
+          - '*'
+      deployments:
+      - name: simple-privileged-operator
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              name: simple-privileged-operator
+          template:
+            metadata:
+              labels:
+                name: simple-privileged-operator
+            spec:
+              serviceAccountName: simple-privileged-operator
+              containers:
+              - name: simple-privileged-operator
+                image: busybox
+                command: ['sh', '-c', 'echo The app is running! && sleep 3600']
+                securityContext:
+                  privileged: true
+  keywords:
+  - simple-privileged-operator
+  links:
+  - name: Simple Privileged Operator
+    url: https://simple-privileged-operator.domain
+  maintainers:
+  - email: will@vulk.coop
+    name: Vulk Coop
+  maturity: alpha
+  provider:
+    name: Vulk Coop
+    url: https://vulk.coop
+  version: 0.0.0
+

sample-cnfs/sample_privileged_operator/opm_bundle/manifests/simple-privileged-operator_v1_serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: simple-privileged-operator
+  namespace: simple-privileged-operator

sample-cnfs/sample_privileged_operator/opm_bundle/metadata/annotations.yaml

@@ -0,0 +1,10 @@
+annotations:
+  # Core bundle annotations.
+  operators.operatorframework.io.bundle.mediatype.v1: registry+v1
+  operators.operatorframework.io.bundle.manifests.v1: manifests/
+  operators.operatorframework.io.bundle.metadata.v1: metadata/
+  operators.operatorframework.io.bundle.package.v1: simple-privileged-operator
+  operators.operatorframework.io.bundle.channels.v1: alpha
+  operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0-ocp
+  operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
+  operators.operatorframework.io.metrics.project_layout: unknown

sample-cnfs/sample_privileged_operator/opm_bundle_src/crds/crd.yaml

@@ -0,0 +1,28 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: simples.operator.tld
+spec:
+  group: operator.tld
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        properties:
+          spec:
+            type: object
+            properties:
+              image:
+                type: string
+              replicas:
+                type: integer
+  scope: Namespaced
+  names:
+    plural: simples
+    singular: simple
+    kind: Simple
+    shortNames:
+    - sim

sample-cnfs/sample_privileged_operator/opm_bundle_src/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: simple-privileged-operator

sample-cnfs/sample_privileged_operator/opm_bundle_src/operatorgroup.yaml

@@ -0,0 +1,8 @@
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: operatorgroup
+  namespace: simple-privileged-operator
+spec:
+  targetNamespaces:
+  - simple-privileged-operator

sample-cnfs/sample_privileged_operator/opm_bundle_src/role.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: simple-privileged-operator-role
+  namespace: simple-privileged-operator
+rules:
+- apiGroups: [""]
+  resources: ["pods", "services", "endpoints", "persistentvolumeclaims", "events", "configmaps", "secrets"]
+  verbs: ["*"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
+  verbs: ["*"]

sample-cnfs/sample_privileged_operator/opm_bundle_src/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: simple-privileged-operator-rolebinding
+  namespace: simple-privileged-operator
+subjects:
+- kind: ServiceAccount
+  name: simple-privileged-operator
+  namespace: simple-privileged-operator
+roleRef:
+  kind: Role
+  name: simple-privileged-operator-role
+  apiGroup: rbac.authorization.k8s.io

sample-cnfs/sample_privileged_operator/opm_bundle_src/sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: simple-privileged-operator
+  namespace: simple-privileged-operator