Update authenticated users RBAC e2e test

[awgreene]

Problem: OLM has historically communicated to users which operators
are available in a given namespace by creating a copy of an operator
CSV in each namespace that it is scoped to. This has caused performance
issues on large clusters with many namespaces. OLM provided users with
the means to disable Copied CSVs for operators scoped to all namespaces,
but console was unable to communicate which operators were available
globally. Console will look for csvs in the openshift namespace to
identify which operators are available globally for authenticated users.

The authenticated user group needs read permissions to view the
CSVs in the openshift namespace. The extended e2e origin test suite has
a test that ensures that authenticated users do not have unanticipated
RBAC.

Solution: This commit updates the test so that it expects the authenticated
user group to have get, list, and watch permissions on CSVs in the openshift
namespace.

[ibihim]

We are adding a rule.
Is there some link to a PR (feature / test cases) that will make tests break?

[awgreene]

We are adding a rule.
Is there some link to a PR (feature / test cases) that will make tests break?

@ibihim there is an OLM PR that cannot merge because the testcase changed in this PR fails because authenticated users have unexpected permissions.

The OLM PR doesn't test that authenticated users have these permissions, but console will be updating it's operatorhub page to be built using the CSVs in the openshift namespace. This redesign will be tested and will fail if authenticated users lack the RBAC introduced in this PR.

I can add a testcase to the OLM e2e suite to check for these permissions, but it seems redundant given the planned console work. Let me know what you think.

[ibihim]

The reference should suffice to connect the dots. Thx.

AFAI can tell, this looks legit. I wouldn't know if there is any better alternative, so I am giving a

/lgtm

but it would be good if one of the more experienced owners would give their final approve, @deads2k, @stlaz.

[deads2k]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awgreene, deads2k, ibihim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/authorization/rbac/OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 2 against base HEAD a54334b and 8 for PR HEAD 3a3a3a4 in total

[openshift-ci]

@awgreene: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-single-node-upgrade	3a3a3a4	link	false	/test e2e-aws-single-node-upgrade
ci/prow/e2e-aws-single-node	3a3a3a4	link	false	/test e2e-aws-single-node
ci/prow/e2e-metal-ipi-ovn-ipv6	3a3a3a4	link	false	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-agnostic-cmd	3a3a3a4	link	false	/test e2e-agnostic-cmd

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

/retest-required

Remaining retests: 1 against base HEAD a54334b and 7 for PR HEAD 3a3a3a4 in total