🐛 Replace cluster-admin with least-privilege RBAC for BoxcutterRuntime

[perdasilva]

The operator-controller service account was bound to the cluster-admin ClusterRole when the BoxcutterRuntime feature gate was enabled. Replace this with explicit, scoped RBAC rules in the operator-controller-manager-role ClusterRole:

• list+watch on all API groups and resources (/), required for the boxcutter runtime to set up informers for arbitrary resource types defined in ClusterExtensionRevision phases
• Full CRUD (create, get, list, patch, update, watch) on clusterextensionrevisions
• patch+update on clusterextensionrevisions/status
• update on clusterextensionrevisions/finalizers

The ClusterRoleBinding now always references operator-controller-manager-role regardless of whether BoxcutterRuntime is enabled, removing the conditional cluster-admin binding. Static manifests (experimental.yaml and experimental-e2e.yaml) are updated to match.

Description

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	778644c
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/6995ddae97ba410008b087a5
😎 Deploy Preview	https://deploy-preview-2514--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

This PR replaces the cluster-admin ClusterRole binding with least-privilege RBAC permissions for the operator-controller when the BoxcutterRuntime feature gate is enabled, improving security by limiting permissions to only what is necessary.

Changes:

• Added explicit RBAC rules for list/watch on all resources, full CRUD on clusterextensionrevisions, and update permissions on status/finalizers subresources
• Removed conditional cluster-admin binding in favor of always using operator-controller-manager-role
• Updated static manifests (experimental.yaml and experimental-e2e.yaml) to reflect the new RBAC configuration

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
manifests/experimental.yaml	Added new RBAC rules and changed ClusterRoleBinding from cluster-admin to operator-controller-manager-role
manifests/experimental-e2e.yaml	Applied same RBAC changes as experimental.yaml for e2e testing environment
helm/olmv1/templates/rbac/clusterrolebinding-operator-controller-manager-rolebinding.yml	Removed conditional logic that bound cluster-admin when BoxcutterRuntime was enabled
helm/olmv1/templates/rbac/clusterrole-operator-controller-manager-role.yml	Added BoxcutterRuntime-specific RBAC rules when feature gate is enabled

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.15%. Comparing base (130c987) to head (778644c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2514      +/-   ##
==========================================
- Coverage   73.21%   73.15%   -0.06%     
==========================================
  Files         102      102              
  Lines        8505     8505              
==========================================
- Hits         6227     6222       -5     
- Misses       1802     1805       +3     
- Partials      476      478       +2     

Flag	Coverage Δ
e2e	45.86% <ø> (-0.06%)	⬇️
experimental-e2e	53.27% <ø> (-0.13%)	⬇️
unit	57.89% <ø> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[camilamacedo86]

/lgtm cancel

for another person be able to do that

[rashmigottipati]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86, rashmigottipati

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• helm/OWNERS [camilamacedo86]
• manifests/OWNERS [camilamacedo86]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[grokspawn]

/override upgrade-ex2ex-e2e
we expect this to fail, as we're making changes to how privileges are granted

[openshift-ci]

@grokspawn: Overrode contexts on behalf of grokspawn: upgrade-ex2ex-e2e

Details

In response to this:

/override upgrade-ex2ex-e2e
we expect this to fail, as we're making changes to how privileges are granted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[grokspawn]

/override project

[openshift-ci]

@grokspawn: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• project

Only the following failed contexts/checkruns were expected:

• Agent
• Autovalidate
• CodeQL analysis
• Upload results
• Verify PR title
• codecov/project
• crd-diff
• e2e
• experimental-e2e
• extension-developer-e2e
• go-apidiff
• go-verdiff
• goreleaser
• lint
• netlify/olmv1/deploy-preview
• st2ex-e2e
• tide
• unit-test-basic
• upgrade-st2st-e2e
• verify

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override project

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[grokspawn]

/override codecov/project

[openshift-ci]

@grokspawn: Overrode contexts on behalf of grokspawn: codecov/project

Details

In response to this:

/override codecov/project

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tmshort]

Note the failure is in the upgrade experimental-to-experimental...

The ClusterRoleBinding "operator-controller-manager-admin-rolebinding" is invalid: roleRef: Invalid value: {"APIGroup":"rbac.authorization.k8s.io","Kind":"ClusterRole","Name":"operator-controller-manager-role"}: cannot change roleRef

This should be ok, as it shouldn't impact existing installs.