From a7ae6b1537906beec994fa7559a9035425a3b17a Mon Sep 17 00:00:00 2001
From: Jonathan Berkhahn <jaberkha@us.ibm.com>
Date: Wed, 18 Mar 2020 15:47:39 -0700
Subject: [PATCH 1/3] Add docs about needed cluster roles for e2e operator
 tests

---
 doc/test-framework/writing-e2e-tests.md | 36 +++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/doc/test-framework/writing-e2e-tests.md b/doc/test-framework/writing-e2e-tests.md
index b909dac3eeb..22eece93500 100644
--- a/doc/test-framework/writing-e2e-tests.md
+++ b/doc/test-framework/writing-e2e-tests.md
@@ -275,6 +275,42 @@ $ kubectl create -f deploy/operator.yaml --namespace operator-test
 $ operator-sdk test local ./test/e2e --namespace operator-test --no-setup
 ```
 
+### Test Permissions
+
+Executing e2e tests requires the permission to access, create, and delete resources on your cluster. Depending on what kind of Kubernetes cluster
+you are using, this may require some manual setup. For example, OpenShift users are not created with cluster-admin access by default, so you would have
+to manually add permissions to access these resources.
+
+The simplest way to accomplish this is to bind the cluster-admin Cluster Role to the Service Account you will run the test under. 
+If you are unable or unwilling to grant such access, a more limited Cluster Role such as this testuser can be created and bound 
+to the Service Account you are using.
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: testuser
+rules:
+- apiGroups:
+  - ""
+  - apiextensions.k8s.io
+  - cache.example.com # the api space your tests are created in
+  - apps
+  resources:
+  - memcacheds # the type(s) of the CRD in your operator
+  - namespaces
+  - customresourcedefinitions
+  - deployments
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+  - update
+```
+
 For more documentation on the `operator-sdk test local` command, see the [SDK CLI Reference][cli-test-local] doc.
 
 ### Skip-Cleanup-Error Flag

From 600e284d6257deb6e5fc04c6008a5b51b36c249a Mon Sep 17 00:00:00 2001
From: Jonathan Berkhahn <jaberkha@us.ibm.com>
Date: Thu, 19 Mar 2020 14:16:09 -0700
Subject: [PATCH 2/3] switch e2e docs example to memcached operator role

---
 doc/test-framework/writing-e2e-tests.md | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/doc/test-framework/writing-e2e-tests.md b/doc/test-framework/writing-e2e-tests.md
index 22eece93500..f8614f4ac84 100644
--- a/doc/test-framework/writing-e2e-tests.md
+++ b/doc/test-framework/writing-e2e-tests.md
@@ -282,9 +282,9 @@ you are using, this may require some manual setup. For example, OpenShift users
 to manually add permissions to access these resources.
 
 The simplest way to accomplish this is to bind the cluster-admin Cluster Role to the Service Account you will run the test under. 
-If you are unable or unwilling to grant such access, a more limited Cluster Role such as this testuser can be created and bound 
-to the Service Account you are using.
-
+If you are unable or unwilling to grant such access, a more limited permission set can be created and bound to your Service Account.
+A good place to start would be the Role bound to your operator itself, such as [this role for the memcached operator example][memcached-role].
+In addition, you might have to create a Cluster Role to allow your tests to create namespaces, like so:
 ```
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -293,15 +293,8 @@ metadata:
 rules:
 - apiGroups:
   - ""
-  - apiextensions.k8s.io
-  - cache.example.com # the api space your tests are created in
-  - apps
   resources:
-  - memcacheds # the type(s) of the CRD in your operator
   - namespaces
-  - customresourcedefinitions
-  - deployments
-  - pods
   verbs:
   - create
   - delete
@@ -311,6 +304,8 @@ rules:
   - update
 ```
 
+Note that this isn't an exhaustive permission set, and the e2e tests you write might require more or less access.
+
 For more documentation on the `operator-sdk test local` command, see the [SDK CLI Reference][cli-test-local] doc.
 
 ### Skip-Cleanup-Error Flag
@@ -386,3 +381,4 @@ $ kubectl delete -f deploy/crds/cache.example.com_memcacheds_crd.yaml
 [scheme-link]:https://github.com/operator-framework/operator-sdk/blob/master/pkg/test/framework.go#L109
 [cli-test-local]:https://github.com/operator-framework/operator-sdk/blob/master/doc/cli/operator-sdk_test_local.md
 [main-entry-link]:https://github.com/operator-framework/operator-sdk/blob/master/pkg/test/main_entry.go#L25
+[memcached-role]:https://github.com/operator-framework/operator-sdk-samples/blob/master/go/memcached-operator/deploy/role.yaml

From 031fa235deadb1735e0f2f26838825565f633afa Mon Sep 17 00:00:00 2001
From: Jonathan Berkhahn <jaberkha@us.ibm.com>
Date: Thu, 19 Mar 2020 16:03:47 -0700
Subject: [PATCH 3/3] add change to /website

---
 .../docs/test-framework/writing-e2e-tests.md  | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/website/content/en/docs/test-framework/writing-e2e-tests.md b/website/content/en/docs/test-framework/writing-e2e-tests.md
index b909dac3eeb..f8614f4ac84 100644
--- a/website/content/en/docs/test-framework/writing-e2e-tests.md
+++ b/website/content/en/docs/test-framework/writing-e2e-tests.md
@@ -275,6 +275,37 @@ $ kubectl create -f deploy/operator.yaml --namespace operator-test
 $ operator-sdk test local ./test/e2e --namespace operator-test --no-setup
 ```
 
+### Test Permissions
+
+Executing e2e tests requires the permission to access, create, and delete resources on your cluster. Depending on what kind of Kubernetes cluster
+you are using, this may require some manual setup. For example, OpenShift users are not created with cluster-admin access by default, so you would have
+to manually add permissions to access these resources.
+
+The simplest way to accomplish this is to bind the cluster-admin Cluster Role to the Service Account you will run the test under. 
+If you are unable or unwilling to grant such access, a more limited permission set can be created and bound to your Service Account.
+A good place to start would be the Role bound to your operator itself, such as [this role for the memcached operator example][memcached-role].
+In addition, you might have to create a Cluster Role to allow your tests to create namespaces, like so:
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: testuser
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+  - update
+```
+
+Note that this isn't an exhaustive permission set, and the e2e tests you write might require more or less access.
+
 For more documentation on the `operator-sdk test local` command, see the [SDK CLI Reference][cli-test-local] doc.
 
 ### Skip-Cleanup-Error Flag
@@ -350,3 +381,4 @@ $ kubectl delete -f deploy/crds/cache.example.com_memcacheds_crd.yaml
 [scheme-link]:https://github.com/operator-framework/operator-sdk/blob/master/pkg/test/framework.go#L109
 [cli-test-local]:https://github.com/operator-framework/operator-sdk/blob/master/doc/cli/operator-sdk_test_local.md
 [main-entry-link]:https://github.com/operator-framework/operator-sdk/blob/master/pkg/test/main_entry.go#L25
+[memcached-role]:https://github.com/operator-framework/operator-sdk-samples/blob/master/go/memcached-operator/deploy/role.yaml