📖 Document OLMv1 permission model

[rashmi43]

Description

Document OLMv1 permission model
aims to clarify #1376

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	3875b46
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/671b6de9954ac000081eb258
😎 Deploy Preview	https://deploy-preview-1380--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 73.57%. Comparing base (b7674d8) to head (3875b46).
Report is 14 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1380      +/-   ##
==========================================
- Coverage   74.84%   73.57%   -1.27%     
==========================================
  Files          42       42              
  Lines        2516     3194     +678     
==========================================
+ Hits         1883     2350     +467     
- Misses        449      659     +210     
- Partials      184      185       +1     

Flag	Coverage Δ
e2e	55.13% <ø> (-1.63%)	⬇️
unit	53.38% <ø> (+0.67%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[perdasilva]

I think the structure of this section is a little bit unclear. Maybe we could call attention to the fact that the installer service account and the service account for the cluster extension's Deployment have different purposes: the first manages the lifecycle of the cluster extensions - so it needs to be able to create/modify the resources packed in the bundle, and assign RBAC to the extension's Deployment SA. And, the second, gives the extension controller the RBAC it needs to do its business.

I think most of that information is already here, we should just restructure it a bit to make clear this distinction and the roles of each of the SAs

[joelanford]

I'm on the fence about how important it is to include bullet (4). It seems that at a conceptual level, but bullet could be left out and the document would stand on its own, such that it describes the concept without delving into implementation specifics.

On the otherhand, concrete examples can be useful to illustrate a concept. Two alternative suggestions:

1. Re-write this to be more of an example rather than another bullet point.
2. Going along with (1), is there a place in the docs that we talk about registry+v1 specifics? If so, maybe we insert some details there about how OLMv1 generates service accounts and RBAC? Then we could link there from there.

Maybe we drop bullet (4) for now, and do an example in a follow-up?

[rashmi43]

updating 4) to an example