Skip to content

Add operator lifecycle metadata to installed operators table #16428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
perdasilva wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add operator lifecycle metadata to installed operators table #16428

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
35 changes: 35 additions & 0 deletions contrib/lifecycle-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# RBAC required for the OpenShift Console to access the lifecycle-server API.
#
# The lifecycle-server authenticates callers via TokenReview and authorizes
# them via SubjectAccessReview on nonResourceURLs. The console backend uses
# its pod ServiceAccount token to authenticate, so that SA needs permission
# to GET the lifecycle API paths.
#
# These resources should be managed by the console-operator. They are
# provided here as a reference for development and testing.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:openshift:console:lifecycle-reader
annotations:
release.openshift.io/feature-set: "TechPreviewNoUpgrade"
rules:
- nonResourceURLs:
- "/api/*/lifecycles/*"
Comment on lines +17 to +18
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

The nonResourceURLs pattern is broader than necessary.

The pattern "/api/*/lifecycles/*" would match any API path containing /lifecycles/, but the actual endpoint is /api/olm/lifecycle/.... Consider tightening to match the specific route:

   - nonResourceURLs:
-      - "/api/*/lifecycles/*"
+      - "/api/olm/lifecycle/*"
     verbs:
       - "get"

This follows the principle of least privilege and prevents unintended access to future endpoints that might match the broader pattern.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@contrib/lifecycle-rbac.yaml` around lines 17 - 18, The nonResourceURLs entry
currently uses an overly broad pattern "/api/*/lifecycles/*"; update the
nonResourceURLs value to the specific route used by the service (e.g.
"/api/olm/lifecycle/*") so the RBAC rule only matches the intended
endpoint—modify the nonResourceURLs array item (the string literal) to the
tightened pattern to follow least privilege.

verbs:
- "get"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: console-lifecycle-reader
annotations:
release.openshift.io/feature-set: "TechPreviewNoUpgrade"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:openshift:console:lifecycle-reader
subjects:
- kind: ServiceAccount
name: console
namespace: openshift-console
1 change: 1 addition & 0 deletions frontend/packages/console-shared/src/constants/time.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ export const ONE_MINUTE = 60 * ONE_SECOND;
export const ONE_HOUR = 60 * ONE_MINUTE;
export const ONE_DAY = 24 * ONE_HOUR;
export const ONE_WEEK = 7 * ONE_DAY;
export const ONE_YEAR = 365 * ONE_DAY;
6 changes: 6 additions & 0 deletions frontend/packages/operator-lifecycle-manager/console-extensions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,12 @@
"flag": "OPERATOR_LIFECYCLE_MANAGER"
}
},
{
"type": "console.flag",
"properties": {
"handler": { "$codeRef": "features.detectLifecycleMetadata" }
}
},
{
"type": "console.model-metadata",
"properties": {
Expand Down
9 changes: 7 additions & 2 deletions frontend/packages/operator-lifecycle-manager/locales/en/olm.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,10 @@
"Status": "Status",
"Last updated": "Last updated",
"Provided APIs": "Provided APIs",
"Cluster Compatibility": "Cluster Compatibility",
"Support": "Support",
"Installed Operators": "Installed Operators",
"Operator": "Operator",
"Installed Operators are represented by ClusterServiceVersions within this Namespace.": "Installed Operators are represented by ClusterServiceVersions within this Namespace.",
" For more information, see the <3>Understanding Operators documentation</3>. Or create an Operator and ClusterServiceVersion using the <6>Operator SDK</6>.": " For more information, see the <3>Understanding Operators documentation</3>. Or create an Operator and ClusterServiceVersion using the <6>Operator SDK</6>.",
"Required": "Required",
Expand All @@ -88,7 +91,6 @@
"This Operator was copied from another namespace. For the reason it failed, see <2></2>": "This Operator was copied from another namespace. For the reason it failed, see <2></2>",
"Description": "Description",
"Not available": "Not available",
"Support": "Support",
"Get support": "Get support",
"Created at": "Created at",
"Links": "Links",
Expand Down Expand Up @@ -146,7 +148,6 @@
"Confirm change": "Confirm change",
"An error occurred": "An error occurred",
"Key": "Key",
"Operator": "Operator",
"Values": "Values",
"Match expressions": "Match expressions",
"Add expression": "Add expression",
Expand Down Expand Up @@ -389,6 +390,10 @@
"Error: {{loadError}}": "Error: {{loadError}}",
"Failed to load installation status": "Failed to load installation status",
"Installing...": "Installing...",
"Compatible": "Compatible",
"Incompatible": "Incompatible",
"No data": "No data",
"Self-support": "Self-support",
"No PackageManifests Found": "No PackageManifests Found",
"The CatalogSource author has not added any packages.": "The CatalogSource author has not added any packages.",
"Catalogs are groups of Operators you can make available on the cluster. Use the <2>Software Catalog</2> to subscribe and grant namespaces access to use installed Operators.": "Catalogs are groups of Operators you can make available on the cluster. Use the <2>Software Catalog</2> to subscribe and grant namespaces access to use installed Operators.",
Expand Down
3 changes: 2 additions & 1 deletion frontend/packages/operator-lifecycle-manager/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@
"catalogSourceActionsProvider": "src/actions/providers/catalog-source-provider.ts",
"useOperatorCatalogCategories": "src/hooks/useOperatorCatalogCategories.ts",
"useOperatorCatalogItems": "src/hooks/useOperatorCatalogItems.tsx",
"utils": "src/components/dashboard/utils.ts"
"utils": "src/components/dashboard/utils.ts",
"features": "src/features.ts"
}
}
}
Loading