Unnecessary *-auth-reader` RoleBinding in kube-system when webhookdefinitions are defined.

[cdjohnson]

Bug Report

OLM incorrectly creates a *-auth-reader RoleBinding in the kube-system namespace when the ClusterServiceVersion is configured to use a spec.webhookdefinitions to auto-install a webhook with the operator.

This RoleBinding is meant to be used only when the ClusterServiceVersion provides an API Server Extension spec.apiservicedefinitions, but is incorrectly being created for WebHooks.

What did you do? Build and Install the sample webhook-operator: https://github.com/awgreene/webhook-operator

What did you expect to see? I expected to NOT see a RoleBinding in kube-system named: webhook-operator-webhook-service-auth-reader.

What did you see instead? Under which circumstances? A RoleBinding in kube-system was created as follows (some fields removed for readability):

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: webhook-operator-webhook-service-auth-reader
  namespace: kube-system
  labels:
    olm.owner: webhook-operator.v0.0.1
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: openshift-operators
    operators.coreos.com/webhook-operator.openshift-operators: ''
subjects:
  - kind: ServiceAccount
    name: default
    namespace: openshift-operators
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader

Environment

• operator-lifecycle-manager version: `0.19.0

• Kubernetes version information: OpenShift 4.10.13 (Kube 1.23)

• Kubernetes cluster kind: OpenShift

Possible Solution NA

Additional context NA

@awgreene

[github-actions[bot]]

Issues go stale after 90 days of inactivity. If there is no further activity, the issue will be closed in another 30 days.

[github-actions[bot]]

This issue has been closed due to inactivity.