OLM doesn't create roles corresponding to the permissions defined in the CSV file

[posriniv]

Bug Report

What did you do?
We are trying to install IBM IAM Operator(https://github.com/IBM/ibm-iam-operator) from this catalogSource defintion:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: opencloud-operators
  namespace: openshift-marketplace
spec:
  displayName: IBMCS Operators
  publisher: IBM
  sourceType: grpc
  image: quay.io/opencloudio/ibm-common-service-catalog:dev-latest
  updateStrategy:
    registryPoll:
      interval: 45m

The following permissions are defined in our CSV https://github.com/IBM/ibm-iam-operator/blob/master/deploy/olm-catalog/ibm-iam-operator/3.6.4/ibm-iam-operator.v3.6.4.clusterserviceversion.yaml#L1592-L1953 .

What did you expect to see?
We expect to see three different roles to be created and associated with three different serviceAccounts as it is evident from the lines highlighted in the CSV file.

What did you see instead? Under which circumstances?
All the three roles and rolebindings to associate them to the serviceAccounts were created successfully prior to Openshift Container Platform 4.4.6 and everything worked as expected. However, we have found that on Openshift Container Platform 4.4.11 and 4.5.0-rc6, all the three roles and rolebindings to the serviceaccounts have NOT been created(only one role and rolebinding is created) and the following errors are seen:

oc describe csv ibm-iam-operator | grep NotSatisfied -B 5
      Status:   Satisfied
      Version:  v1
      Group:    rbac.authorization.k8s.io
      Kind:     PolicyRule
      Message:  namespaced rule:{"verbs":["get","create"],"apiGroups":["monitoring.coreos.com"],"resources":["servicemonitors"]}
      Status:   NotSatisfied
--
      Version:  v1
      Group:    rbac.authorization.k8s.io
      Kind:     PolicyRule
      Message:  namespaced rule:{"verbs":["update"],"apiGroups":["apps"],"resources":["deployments/finalizers"],"resourceNames":["ibm-iam-operator"]}
      Status:   NotSatisfied
--
      Status:   Satisfied
      Version:  v1
      Group:    rbac.authorization.k8s.io
      Kind:     PolicyRule
      Message:  namespaced rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["operator.ibm.com"],"resources":["*","policydecisions","oidcclientwatchers","authentications","policycontrollers","paps","securityonboardings"]}
      Status:   NotSatisfied
--
      Version:  v1
      Group:    rbac.authorization.k8s.io
      Kind:     PolicyRule
      Message:  namespaced rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["certmanager.k8s.io"],"resources":["*","certificates"]}
      Status:   NotSatisfied
--
      Version:  v1
      Group:    rbac.authorization.k8s.io
      Kind:     PolicyRule
      Message:  namespaced rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["networking.k8s.io"],"resources":["*","ingresses"]}
      Status:   NotSatisfied
--
      Version:  v1
      Group:    rbac.authorization.k8s.io
      Kind:     PolicyRule
      Message:  namespaced rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["batch"],"resources":["jobs"]}
      Status:   NotSatisfied
--
      Version:  v1
    Group:
    Kind:       ServiceAccount
    Message:    Policy rule not satisfied for service account
    Name:       ibm-iam-operand-restricted
    Status:     PresentNotSatisfied

Environment

• operator-lifecycle-manager version:
  OLM version: 0.15.1
  git commit: 922f6ad

• Kubernetes version information:

Kubernetes Version: v1.18.3+6025c28

• Kubernetes cluster kind:

Possible Solution

Additional context
Add any other context about the problem here.

[matskiv]

btw: there is a BugZilla for this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1855088

[matskiv]

@posriniv Hi!
I sent a PR which addresses problem of missing (Cluster)RoleBindings.
Is it important for your use case to have 3 distinct Roles created?

[posriniv]

@matskiv Yes, it is important for us.