Add provided ServiceAccount documentation to drafts

Signed-off-by: Tayler Geiger <[email protected]>

Author: trgeiger

docs/drafts/provided-serviceaccount.md

@@ -0,0 +1,34 @@
+# Provided ServiceAccount for ClusterExtension Installation and Management
+
+While OLMv0 provides many mechanisms for permission configuration via OperatorGroups,
+or by manipulating CatalogSources, cluster administrators must be aware of these options
+and actually implement them. If no ServiceAccount is explicitly specified for installing
+and upgrading operators, then cluster-admin is used by default. This can pose security risks
+by providing more permissions than are actually required for the management of any specific bundle.
+
+OLMv1 will not grant cluster-admin permissions. It instead requires ServiceAccounts provided
+by users to install, upgrade and delete content.
+
+The ServiceAccount is specified in the ClusterExtension manifest as follows:
+
+```yaml
+apiVersion: olm.operatorframework.io/v1alpha1
+kind: ClusterExtension
+metadata:
+  name: argocd
+spec:
+  source:
+    sourceType: Catalog
+    catalog:
+      packageName: argocd-operator
+      version: 0.6.0
+  install:
+    namespace: argocd
+    serviceAccount:
+      name: argocd-installer
+```
+
+If no ServiceAccount is provided in the ClusterExtension manifest, then the manifest will be rejected.
+Installation will also fail if the ServiceAccount does not have the necessary permissions to install a bundle.
+
+//TODO: Add link to documentation on determining least privileges required for the ServiceAccount