local role becomes cluster role when operator is deployed.

[raffaelespazzoli]

I have an operator defined by the attached CSV
cert-utils-operator.zip

The thing to notice is that this operator has both a role and a cluster role.

when I make it available through the operator hub the attached install plan is created. At this point I still can see that there are two roles, one is local and on is a cluster role.

when the operator is deployed three roles are created:

1. local role
2. cluster roles: the correct one and a clusterrole version of the local role.

this shoudl clarify what I mean:

Also the corresponding bindings to the operator service accounts are created.

This should not happen. However I am not sure if I am doing something wrong or if this is a bug.

[njhale]

If you are creating a Subscription in a namespace with a global (cluster-wide) OperatorGroup, OLM promotes Roles/RoleBindings to ClusterRoles/ClusterRoleBindings to avoid copying the former to each namespace. This behavior is in our design docs for OperatorGroups.

Is it causing issues for your operator's deployment?

[raffaelespazzoli]

this is the OperatorGroup in the namespace where the operator is deployed:

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  creationTimestamp: '2019-05-27T12:03:10Z'
  generateName: cert-utils-operator-
  generation: 1
  name: cert-utils-operator-qd482
  namespace: cert-utils-operator
  resourceVersion: '3023572'
  selfLink: >-
    /apis/operators.coreos.com/v1/namespaces/cert-utils-operator/operatorgroups/cert-utils-operator-qd482
  uid: 655b9cb5-8077-11e9-ae7b-028f32d1fd70
spec:
  targetNamespaces:
    - cert-utils-operator
status:
  lastUpdated: '2019-05-27T12:03:10Z'
  namespaces:
    - cert-utils-operator

is this global?
this is the corresponding subscription:

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  creationTimestamp: '2019-05-27T12:03:10Z'
  generation: 1
  labels:
    csc-owner-name: installed-custom-cert-utils-operator
    csc-owner-namespace: openshift-marketplace
  name: cert-utils-operator
  namespace: cert-utils-operator
  resourceVersion: '3023745'
  selfLink: >-
    /apis/operators.coreos.com/v1alpha1/namespaces/cert-utils-operator/subscriptions/cert-utils-operator
  uid: 6568b9fc-8077-11e9-ae7b-028f32d1fd70
spec:
  channel: alpha
  installPlanApproval: Automatic
  name: cert-utils-operator
  source: installed-custom-cert-utils-operator
  sourceNamespace: cert-utils-operator
  startingCSV: cert-utils-operator.v0.0.1
status:
  currentCSV: cert-utils-operator.v0.0.1
  installPlanRef:
    apiVersion: operators.coreos.com/v1alpha1
    kind: InstallPlan
    name: install-q9jnx
    namespace: cert-utils-operator
    resourceVersion: '3023693'
    uid: 70f918a0-8077-11e9-ae7b-028f32d1fd70
  installedCSV: cert-utils-operator.v0.0.1
  installplan:
    apiVersion: operators.coreos.com/v1alpha1
    kind: InstallPlan
    name: install-q9jnx
    uuid: 70f918a0-8077-11e9-ae7b-028f32d1fd70
  lastUpdated: '2019-05-27T12:03:32Z'
  state: AtLatestKnown

to answer your question, this is not affecting the deployment of the operator, however it is giving the operator much more permissions that is actually needs.
So, for an operator such as this which has a global role and a local role, what is the right way to deploy it in such a way to not end up with more permissions than needed.

[ecordell]

@raffaelespazzoli Your CSV is using the clusterPermissions field to define RBAC requirements. If you use permissions instead, you will see local RBAC be provided instead of ClusterRoles.

Closing since I believe this will solve your problem. Please re-open if you have more questions!

[cdjohnson]

Enhancement Proposal to toggle this ability:
operator-framework/enhancements#116