IBM Cloud Pak foundational services cluster permissions
The IBM Cloud Pak foundational services operators and service workloads have cluster-level permissions as required for some of the operations that they perform. These permissions are closely tracked and documented so that users can understand any implications that they might have on other workloads in the cluster.
In prior releases of IBM Cloud Pak foundational services, all operators (and some workloads) had many cluster permissions, sometimes more than needed to perform their jobs. In IBM Cloud Pak foundational services version 3.6.x and later, these permissions are restricted. Most operator and workload permissions are limited to a namespace scope, and are selectively projected into namespaces as needed to support the requirements of dependent IBM Cloud® Paks. Users can specifically determine when and where IBM Cloud Pak foundational services permissions have authority over any individual namespace in the cluster. This provides control over workload isolation to the cluster administrator.
Namespace Scope
In order to better support workload isolation, a Namespace Scope operator selectively "projects" IBM Cloud Pak foundational services operator roles and role bindings into a namespace when IBM Cloud Paks or containerized software request foundational services from that namespace. This allows foundational services to perform operations in the namespace. By default, the Namespace Scope operator has cluster permissions when installed so that the role binding projections can be performed automatically when needed.
If the users are uncomfortable with these permissions or automatic projection of role bindings, they can specify that they want to manually authorize this namespace projection. This removes cluster permissions from the Namespace Scope operator and error messages are issued from the OpenShift console when authority is needed to allow IBM Cloud Pak foundational services interaction with a specific namespace. The cluster administrator can then authorize from the command line the namespace that needs to interact with the foundational services.
For more information, see IBM NamespaceScope Operator.
Permissions
Remaining cluster permissions that operators and service workloads have are given in the following tables:
- IBM Common Service Operator
- Operand Deployment Lifecycle Manager
- IBM Namespace Scope Operator
- IBM License Service Operator
- IBM System Healthcheck Operator
- IBM Management Ingress Operator
- IBM Management Ingress Operand
- IBM Ingress Nginx Operand
- IBM IAM (Identity and Access Management) Operator
- IBM IAM Operand
- IBM Cert-manager Operator
- IBM Common UI Operator
- IBM Metering Operator
- IBM Audit Logging Operator
- IBM Audit Policy Controller
- IBM Audit Garbage Collector
- IBM Monitoring Grafana Operator
- IBM Monitoring Grafana Operand
- IBM Monitoring Prometheus Ext Operator
- IBM Monitoring Prometheus Ext Operand
- IBM Monitoring Exporters Operator
- IBM Monitoring Exporters Operand
- IBM Platform API Operator
- IBM Platform API Operand
- IBM Platform UI Operand
- IBM User Data Services Operator
- Cloud Pak Platform Operator
IBM Common Service Operator
The foundational service operator bootstraps foundational services by installing their operators into the cluster as needed.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | namespaces | Create Get List Watch Update |
Used only for creating the ibm-common-services namespace. This permission is required as Kubernetes ClusterRoles do not support specifying a dedicated namespace name. |
| operators.coreos.com | subscriptions operatorgroups |
Create Get List Watch Update |
Used only for managing OLM Operator Subscriptions in the ibm-common-services namespace. |
| operators.coreos.com | subscriptions clusterserviceversions |
Delete | Used only for deleting the IBM Cloud Pak foundational services from the openshift-operators and ibm-common-services namespaces when they are no longer needed in the cluster. |
| operator.ibm.com | commonservices | Get List Watch |
The IBM Cloud Pak foundational services operator owns the CommonService custom resource (CR) and needs cluster-level permissions to get, list, or watch the CR whenever it is created or updated in any namespace (typically
during installation of IBM Cloud Paks that require foundational services). |
| apiextensions.k8s.io | customresourcedefinitions | Create Get Update |
Used for creating the CustomResourceDefinitions (CRDs) of the SecretShare CR and the ibm-common-service-webhook operator.
|
| "" | configmaps | Create Get List Watch Update Delete |
Used only for performing operations on the ibm-common-services-status configmap. This configmap is created in the kube-public namespace and is used by IBM Cloud Paks to indicate when foundational
services are available. |
| rbac.authorization.k8s.io | roles role bindings |
Create Get List Watch Update Delete |
Used for creating role and role binding in the kube-public namespace for accessing ibm-common-services-status and ibmcloud-cluster-info configmaps. The ibmcloud-cluster-info configmap contains
some basic information about the cluster (such as its name) that is used by IBM Cloud Paks and foundational services for backward compatibility with an earlier version. |
| rbac.authorization.k8s.io | clusterroles clusterrolebindings |
Create Get List Watch Update Delete |
Used for creating cluster administrator permission for Operand Deployment Lifecycle Manager when the IBM Cloud Pak foundational services operator is installed in all-namespaces mode. The cluster administrator permission
is used to manage IBM Cloud Pak operators. |
| admissionregistration.k8s.io | mutatingwebhookconfigurations | Create Get List Watch Update Delete Patch |
Used for managing ibm-common-service-webhook operator resources. The webhook is used to solve a known DNS issue that causes a 5-seconds DNS resolution delay in OpenShift and Kubernetes clusters. (https://github.com/kubernetes/kubernetes/issues/56903) |
| ibmcpcs.ibm.com | secretshares | Create Get List Watch Update Delete |
Used for managing SecretShare, which is the resource of ibm-secretshare-operator. The SecretShare operator watches secrets and configmaps in the ibm-common-services namespace, copying selected entries
to the kube-system, kube-public, or services namespaces for backward compatibility with older IBM Cloud Pak versions. |
| operator.ibm.com | podpresets | Create Get List Watch Update Delete |
Used for managing PodPreset, which is the resource of the ibm-common-service-webhook operator. The webhook is used to solve the known DNS issue that causes a 5-seconds DNS resolution delay in OpenShift and Kubernetes
clusters. (https://github.com/kubernetes/kubernetes/issues/56903). |
| "" | secrets configmaps |
Create Get List Watch Update Delete |
The ibm-secretshare-operator requires these permissions to perform its operations. The SecretShare operator watches secrets and configmaps in the ibm-common-services namespace, copying selected entries to the kube-system,
kube-public, or services namespaces for backward compatibility with older IBM Cloud Pak versions. |
| "" | events pods |
Create Get List Watch Update Delete |
The ibm-common-service-webhook operator requires these permissions to perform its operations. The webhook is used to solve the known DNS issue (https://github.com/kubernetes/kubernetes/issues/56903). |
Operand Deployment Lifecycle Manager
The Operand Deployment Lifecycle Manager manages OLM operator subscriptions and deployments for the IBM Cloud Pak foundational services. IBM Cloud Paks request and interact with foundational services through Operand custom resources.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| operator.ibm.com | operandbindinfos operandconfigs operandregistries operandrequests |
Create Get List Watch Update Delete Patch |
The Operand Deployment Lifecycle Manager owns the OperandBindInfo, OperandConfig, OperandRegistry, and OperandRequest resources. It requires cluster-level permissions to view
these resources in case they are created (indicating that foundational services are requested) in any namespace in the cluster. Foundational services interact only with workloads in namespaces that contain one or more of these Operand CRs. |
| operator.ibm.com | certmanagers ibmlicensings meteringreportservers auditloggings |
Create Get List Watch Update Delete Patch |
These CRs are cluster-scoped, and the foundational services deployed by ODLM owns them. These CRs are created only when their services are requested by IBM Cloud Paks. |
| clusterhealth.ibm.com | clusterservicestatuses | Create Get List Watch Update Delete Patch |
ClusterServiceStatus is the CR of ibm-healthcheck-operator. The CR is cluster-scoped. |
| certmanager.k8s.io | clusterissuers | Create Get List Watch Update Delete Patch |
ClusterIssuer is a CR of the ibm-cert-manager-operator. The CR is cluster-scoped. |
IBM Namespace Scope Operator
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "*" | "*" | Create Delete Get List Patch Update Watch DeleteCollection |
The IBM Namespace Scope Operator is installed by default and has full cluster administrator permissions, except escalate and bind permissions. This operator enables automatic authorization of role and
role binding to the namespace in which an IBM Cloud Pak is installed. The runtime permissions of the operator from the original namespace are aggregated into a role for the operator in the target namespace. The name of role in the target namespace is nss-runtime-managed-role-from-<original-namespace>. If an OpenShift cluster administrator wants to restrict permissions of this operator, the administrator can set manualManagement: true in the CommonService CR to automatically uninstall this operator and install the IBM Namespace Scope Operator Restricted instead. The IBM Namespace Scope Operator Restricted has no cluster permissions.
An OpenShift cluster administrator must manually authorize role and role binding from its namespace. For more information, see Authorizing foundational services to perform operations on workloads in a namespace. |
Note: From foundational services version 3.22 onwards, the IBM Namespace Scope Operator permissions are restricted as shown in Table 3. In foundational services versions 3.6 - 3.21, the operator has full cluster administrator permissions.
IBM License Service Operator
The license service is responsible for collecting usage information on any IBM Cloud Paks or containerized offerings running in a cluster to assist customers in managing their license compliance.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| " " | pods namespaces nodes |
Get List |
The cluster permissions for the ibm-license-service service account are read-only access permissions that are required to properly discover the running IBM applications to report license usage of the Virtual Processor
Core (VPC) and Processor Value Unit (PVU) metrics. |
| operator.openshift.io | servicecas | List | These permissions are required to generate the TLS certificate for License Service. |
| operator.ibm.com | ibmlicensings ibmlicenseservicereporters ibmlicensings/status ibmlicenseservicereporters/status ibmlicensings/finalizers ibmlicenseservicereporters/finalizers |
Create Delete Get List Patch Update Watch |
The cluster permissions for the ibm-licensing-operator service account are required to properly manage the status of the IBM License Service operator. |
IBM System Healthcheck Operator
The System HealthCheck Operator is responsible for collecting information on IBM Cloud Pak foundational services health, and in collecting information as requested by a cluster administrator for use in problem reporting with IBM Cloud Pak foundational services.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | pods nodes |
Get List |
These read-only permissions are used by the system-healthcheck-service operand to get the status of all pods in all the namespaces. |
| clusterhealth.ibm.com | clusterservicestatuses | Create Read Update Delete |
These permissions are used by the system-healthcheck-service operand only to update the service health status to the clusterservicestatuses.clusterhealth.ibm.com CRD. |
| "" | all resources in all namespaces | Get List |
These read-only permissions are used by the must-gather-job operand to get all resource and logs. |
| "" | pods and executables in all namespaces | Create | This permission is used by the must-gather-job operand to reach the network pod and gather information. |
IBM Management Ingress Operator
The Management Ingress Operator establishes endpoints for Web UI interaction with IBM Cloud Pak foundational services for use by an administrator to interact with those services.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| operator.openshift.io | dnses ingresscontrollers |
Get List Watch |
Permission for DNS and ingress controllers from the openshift-ingress-operator namespace to get router application domain. |
| "" | configmaps | Get List Watch |
Permission for the console-config configmap from the openshift-console namespace to get the kube-apiserver URL. |
IBM Management Ingress Operand
The Management Ingress Operand is the workload (pods) that are deployed by the ingress operator.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | nodes | Get List Watch |
Permission for the node resources to update the loadBalancer IP address of ingress status. |
| "" | namespaces | Get List Watch |
Permission for the namespace resources to get the namespaces being currently watched. |
| "" | services | Get List Watch |
Permission for the service resources to get the Kubernetes backend default or Kubernetes service. |
IBM Ingress Nginx Operator
The Nginx Ingress Operator establishes endpoints for Web UI interaction with IBM Cloud Pak foundational services for use by IBM Cloud Paks to interact with those services.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | nodes | Get List Watch |
Permission for the node resources to update the loadBalancer IP address of ingress status. |
| "" | namespaces | Get | Permission for the namespace resources to get the namespaces being currently watched. |
IBM IAM Operator
The Identity and Access Management (IAM) operator is responsible for deploying and managing user identity and access management services.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| admissionregistration.k8s.io | mutatingwebhookconfigurations | Create Get List Watch Update Delete |
Permissions to intercept namespace creation by account administrator to support multitenancy (workload isolation by namespace). |
| rbac.authorization.k8s.io | clusterroles clusterrolebindings |
Create Get List Watch Update Delete |
Permissions to support console features. These permissions are also needed to create a set of default cluster roles, such as icp:accountadmin, and cluster role bindings to bind default subjects to those roles. |
| user.openshift.io | users | Create Get List Watch Update Delete |
Permissions to create the default admin user during installation. |
IBM IAM Operand (workloads)
IAM services only deal with identities and access by IBM Cloud Paks through IBM Cloud Pak foundational services.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| core | namespaces | Get List Watch |
Read-only permissions to support watching a set of namespaces that are created by the account administrator to support multitenancy (workload isolation by namespace). |
| rbac.authorization.k8s.io | clusterrolebindings | Create Get List Watch Update Delete |
Permissions to support cluster administrator login on a public cloud. These permissions are also needed to assign roles to account administrators to support multitenancy. |
| user.openshift.io | users groups identities |
Create Get List Watch Update Delete |
Permissions to manage the shadowed users and groups in OpenShift. |
| oauth.openshift.io | oauthclients | Create Get List Watch Update Delete |
Permissions to support client registration with the OpenID Connect (OIDC) provider. |
| oauth.openshift.io | oauthtokens | Create Get List Watch Update Delete |
Permissions to work with the authentication tokens during login flow. |
| iam.policies.ibm.com | iampolicies | Create Get List Watch Update Delete |
This is a custom resource that is created by the IBM IAM operator. The permissions are needed to watch policies that are set by IBM Cloud Pak users across namespaces. This feature is used only by the IBM Cloud Pak for Multicloud Management. |
IBM Cert-manager Operator
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | configmaps | Create Delete List Get Watch Update Patch |
Required by cert-manager for leader election and by configmap-watcher service. |
| "" | events | Create Patch |
Required by cert-manager to create and patch events for cert-manager resources. |
| "" | pods services |
Get List Watch Create Delete |
Required by cert-manager to perform operations, such as renewal, on secrets associated with the certs. |
| "" | secrets | Get List Watch Create Update Delete |
Required by cert-manager to perform operations such as renewal on secrets associated with the certs. |
| "" | serviceaccounts | List Watch |
Required by cert-manager to list and watch service accounts. |
admission.registration.k8s.io |
mutatingwebhookconfigurationsvalidatingwebhookconfigurations |
* | Required by operator to create mutatingwebhookconfigurations and validatingwebhookconfigurations as a part of webhook resources. |
admission.certmanager.k8s.io |
certificates issuers clusterissuers certificaterequests |
* | Required by cert-manager-webhook for cert-manager resources admission. |
apiextensions.k8s.io |
customresourcedefinitions |
* | Required by operator to perform operations on all cert-manager operand CRDs. |
| apps | deployments statefulsets daemonsets |
* | Required by cert-manager service to support pod-refresh after cert renewal feature. Also needed by configmap-watcher to restart pods when configmaps change. |
authorization.k8s.io |
subjectaccessreviews | * | Required by cert-manager-webhook for API server authorization and authentication. |
certmanager.k8s.io |
certificates certificaterequests orders challenges clusterissuers issuers |
* | Required by cert-manager to perform all operations on cert-manager resources in any namespace. |
certmanager.k8s.io |
certificates/status certificaterequests/status orders/status challenges/status clusterissuers/status issuers/status certificates/finalizers challenges/finalizers ingresses/finalizers orders/finalizers |
Update | Required by cert-manager to perform all operations on cert-manager resources in any namespace. |
| extensions | ingresses | Get List Watch Create Delete Update |
Required by cert-manager to support CA bundle injection in ingresses. |
| ibmcpcs.ibm.com | secretshares | List Watch |
Required by operator to list and watch at cluster level. Operator cache requires this permission because operator is cluster-scoped. |
| operator.ibm.com | certmanagers certmanagers/status certmanager/finalizers |
Create Delete Get List Patch Update Watch |
Required by operator because certmanagers resource is cluster-scoped. The CR is cluster-scoped because the operator deploys cluster-scoped resources. |
operator.open-cluster-management.io |
multiclusterhubs | Get List Watch |
Required by operator to detect if Red Hat Advanced Cluster Management is installed. If installed, then operator does not deploy cert-manager. |
rbac.authorization.k8s.io |
clusterroles clusterrolebindings rolebindings |
Create Get List Watch Delete |
Required by operator to create clusterrole, clusterrolebinding for the cert-manager operands. Required to create rolebinding in kube-system used by cert-manager-webhook. |
security.openshift.io |
securitycontextcontstraints | Use | Required by the operator to enable or disable hostNetwork for cert-manager-webhook. Restricted to resourceNames of restricted and hostnetwork. |
IBM Common UI Operator
The following cluster permissions are installed when you install the operator.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | deployments configmaps statefulsets persistentvolumeclaims pods nodes events services namespaces |
Get List |
The Common UI requires this permission to collect data to display on the Administration panel for resources that are installed in a different namespace. In addition, services are watched to add services automatically to the Common UI header. |
| apps | deployments daemonsets statefulsets |
Get List |
The Common UI requires this permission to collect data to display on the Administration panel. |
| extensions | ingresses | Get List |
This permission is required for watching for new services to add automatically to the Common UI header. |
route.openshift.io |
routes | Get List |
This permission is required to get routes for the Administration panel for any IBM Cloud Pak that is installed in a different namespace. |
IBM Metering Operator
Note: The deprecated Metering service is removed in IBM Cloud Pak® foundational services version 3.7.x. At the time of removal, the following permissions are also removed.
The following cluster permissions are installed when you install the metering operator.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | namespaces pods nodes persistent volumes configmaps persistent volume claims |
Get List |
Metering needs to read these objects to capture the resources used by each type. The configmap permission is required in IBM Cloud Pak for Multicloud Management metering environments to determine the local hub name. |
The following roles are required for the metering report server. The metering report server generates reports for any namespace in the cluster and is implemented as an API server extension, which dictates that this API be cluster-scoped.
| API group | Resources | Verbs | Description |
|---|---|---|---|
apigroup:authorization.k8s.io |
subjectaccessreviews | Create | Metering requires this role to be able to create subject access reviews in support of the report API server extension. |
apigroup:apiregistration.k8s.io |
apiservices | Create List Watch |
Metering requires this role to be able to create the api service in support of the report API server extension. |
| "" | configmaps | Watch | Metering requires the ability to watch configmaps for configuration changes to the service. |
| operator.ibm.com | meteringreportservers/status finalizers |
Create Update Delete Get List Watch |
The metering operator requires these permissions to manage the metering report server type and update its status and finalizers. |
The following roles are required when metering is used in an IBM Cloud Pak for Multicloud Management environment to meter clusters and roll metering data up from managed endpoints to the hub.
| API group | Resources | Verbs | Description |
|---|---|---|---|
operator.openshift.io |
ingresscontroller | Get | Metering needs to be able to get the application domain on the hub cluster to create a route and certificate for data delivery from managed endpoints. |
| mcm.ibm.com | clusterstatuses leadervotes |
Get | - |
cluster.open-cluster-management.io and managedclusterinfosinternal.open-cluster-management.io |
managedclusters | Get | Metering needs the ability to list clusters to meter them on the IBM Cloud Pak for Multicloud Management hub. Both IBM Cloud Pak for Multicloud Management core and Red Hat Advanced Cluster Management hubs are supported. |
operator.open-cluster-management.io |
multiclusterhubs | Get List |
Metering needs to be able to determine the type of hub that is being used (IBM Cloud Pak for Multicloud Management or Red Hat Advanced Cluster Management). |
| "" | secrets | Get | Metering needs to be able to read the hub kube config secret to be able to send data back to the hub cluster. This secret resides in another namespace. |
apiextensions.k8s.io |
customresourcedefinitions | Get | The Metering sender needs to read custom resource definitions to determine the type of hub cluster it is sending data to (IBM Cloud Pak for Multicloud Management or Red Hat Advanced Cluster Management). |
IBM Audit Logging Operator
| API group | Resources | Verbs | Description |
|---|---|---|---|
| operator.ibm.com | auditlogging auditlogging/status auditlogging/finalizer |
Create Get List Watch Update Patch Delete |
AuditLogging is a cluster-scoped resource that is owned by IBM AuditLogging Operator. |
| "" | events | Create Patch |
Required to update AuditLogging CRs with useful events for debugging and deployment readiness. |
IBM Audit Policy Controller
This audit policy controller feature is used only by the IBM Cloud Pak for Multicloud Management. It sets policy for audit logging across managed clusters.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| audit.policies.ibm.com | auditpolicy | Create Get List Watch Update Patch Delete |
AuditPolicy is a cluster-scoped resource. |
| audit.policies.ibm.com | auditpolicy/status | Create Update Patch |
Required to update AuditPolicy CRs with a compliance state and reason for non-compliancy. |
| "" | namespaces | Get List Watch |
Required to watch a set of namespaces declared in an Audit Policy. |
| "" | configmaps | Get List Watch |
Required to support enabling the AUDIT_ENABLED flag in service configmaps when an Audit Policy is set to enforce. |
| "" | pods | Get List Watch |
Required to get the name of the configmap that holds the audit enabled key from a service pod. |
| "" | events | Create Patch |
Required to update a parent AuditPolicy with child policy compliance details. |
IBM Audit Garbage Collector
The garbage collector cleans up cluster roles that might have been created by the audit logging operator in previous releases.
| API group | Resources | Verbs | Description |
|---|---|---|---|
rbac.authorization.k8s.io |
clusterroles | Delete | Required to remove old audit policy controller cluster roles that are no longer used as created in previous releases by the Audit Logging operator. |
rbac.authorization.k8s.io |
clusterrolebinding | Delete | Required to remove old audit policy controller cluster role bindings that are no longer used. |
IBM Monitoring Grafana Operator
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | configmaps/cluster-monitoring-config | Get | Used to check whether Red Hat® OpenShift® Container Platform Application Monitoring is enabled or not. |
IBM Monitoring Grafana Operand
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | namespaces | Get | Permission to authenticate against Red Hat® OpenShift® Container Platform interfaces to OpenShift Application Monitoring. |
IBM Monitoring Prometheus Ext Operator
Note: When you use the monitoring service in Red Hat® OpenShift® Container Platform monitoring mode, only the Grafana operator is installed. The following permissions can be removed.
| API group | Resources | Verbs | Description |
|---|---|---|---|
storage.k8s.io |
storageclasses | List Watch |
Permission to automatically find usable storage classes in the cluster. |
security.openshift.io |
securitycontextconstraints | Create Update Get |
Permission to create custom SCCs. |
IBM Monitoring Prometheus Ext Operand
Note: When you use the monitoring service in Red Hat® OpenShift® Container Platform monitoring mode, only the Grafana operator is installed. Therefore, the following permissions can be removed.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| monitoring.coreos.com | servicemonitors podmonitors prometheusrules |
* | Permission for embedded Prometheus operator to monitor cluster and applications. |
| "" | namespaces | Get | Permission for embedded Prometheus operator to check namespaces to watch. |
| "" | services nodes nodes/proxy endpoints pods |
Get List Watch |
Permission for Prometheus service discovery. |
IBM Monitoring Exporters Operator
Note: When you use the monitoring service in Red Hat® OpenShift® Container Platform monitoring mode, only the Grafana operator is installed. Therefore, the following permissions can be removed.
| API group | Resources | Verbs | Description |
|---|---|---|---|
security.openshift.io |
securitycontextconstraints | Create Update Get |
Permission to create custom SCCs. |
IBM Monitoring Exporters Operand
Note: When you use the monitoring service in Red Hat® OpenShift® Container Platform monitoring mode, only the Grafana operator is installed. Therefore, the following permissions can be removed.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | * | List | kube-state-metrics creates metrics for them. |
| apps | * | List | kube-state-metrics creates metrics for them. |
| batch | * | List | kube-state-metrics creates metrics for them. |
| extensions | * | List | kube-state-metrics creates metrics for them. |
networking.k8s.io |
* | List | kube-state-metrics creates metrics for them. |
storage.k8s.io |
* | List | kube-state-metrics creates metrics for them. |
| autoscaling | * | List | kube-state-metrics creates metrics for them. |
| policy | * | List | kube-state-metrics creates metrics for them. |
admissionregistration.k8s.io |
* | List | kube-state-metrics creates metrics for them |
IBM Platform API Operator
The platform API is the server component for the cloudctl command line that is used for many CLI administrative tasks.
| API group | Resources | Resource names | Verbs | Description |
|---|---|---|---|---|
apiextensions.k8s.io |
customresourcedefinitions | passwordrules.icp.ibm.com |
Delete | Used only for cleaning up obsolete CRDs that remain from a previous version of the operator. |
rbac.authorization.k8s.io |
clusterroles clusterrolebindings |
Create List Watch |
Used only for ibm-platform-api-operand to set up RBAC to support listing target namespaces in legacy catalog-ui service. This will be removed in a future release. | |
rbac.authorization.k8s.io |
clusterroles clusterrolebindings |
ibm-platform-api-operand |
Delete Get Patch update |
Used only for ibm-platform-api-operand to set up RBAC to support listing target namespaces in legacy catalog-ui service. This will be removed in a future release. |
policy |
podsecuritypolicies | List | Used only for ibm-platform-api-operand to grant permission to support listing target namespaces in legacy catalog-ui service. This will be removed in a future release. | |
| "" | serviceaccounts | Impersonate | Used only for ibm-platform-api-operand to grant permission to support listing target namespaces in legacy catalog-ui service. This will be removed in a future release. |
IBM Platform API Operand
| API group | Resources | Verbs | Description |
|---|---|---|---|
rbac.authorization.k8s.io |
clusterrolebindings | List | Used only to inspect if a user has access to a namespace in order to support listing target namespaces in legacy catalog-ui service. This will be removed in a future release. |
policy |
podsecuritypolicies | List | Used only to inspect if a user has access to a namespace in order to support listing target namespaces in legacy catalog-ui service. This will be removed in a future release. |
| "" | serviceaccounts | Impersonate | Used only to inspect if a user has access to a namespace in order to support listing target namespaces in legacy catalog-ui service. This will be removed in a future release. |
IBM Platform UI Operator
The Platform UI (ibm-zen-operator) operator is responsible for managing users and console access.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" batch extensions apps policy rbac.authorization.k8s.io autoscaling route.openshift.io authorization.openshift.io networking.k8s.io metrics.k8s.io template.openshift.io |
pods pods/log poddisruptionbudgets secrets jobs configmaps deployments deployments/scale statefulsets statefulsets/scale replicasets services persistentvolumes persistentvolumeclaims cronjobs pods/exec pods/portforward serviceaccounts namespaces roles rolebindings horizontalpodautoscalers routes routes/custom-host ingresses endpoints cronjob networkpolicies events jobs/status pods/status resourcequotas resourcequotas/status processedtemplates |
apply create get delete watch update edit exec list patch scale deletecollection |
|
security.openshift.io |
'*' | create get list patch update watch delete use |
|
monitoring.coreos.com |
servicemonitors | get create |
|
admissionregistration.k8s.io |
validatingwebhookconfigurations mutatingwebhookconfigurations |
create delete get list patch update watch |
|
apps |
deployments/finalizers | update | |
zen.cpd.ibm.com |
'*' | create delete get list patch update watch |
|
image.openshift.io |
imagestreams imagestreams/layers imagestreams/secrets imagestreams/status imagestreamimages imagestreamimports imagestreammappings imagestreamtags |
create delete get list patch update watch |
|
build.openshift.io |
buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/log builds/details |
create delete get list patch update watch |
|
rbac.authorization.k8s.io |
clusterrole clusterroles clusterrolebinding clusterrolebindings |
create delete get list patch update watch |
|
oidc.security.ibm.com |
client clients |
create delete get list patch update watch use |
|
operator.ibm.com |
operandrequest operandrequests |
create delete get list patch update watch use |
IBM User Data Services Operator
The following cluster permissions are installed when you install the IBM User Data Services Operator.
| API group | Resources | Verbs | Description |
|---|---|---|---|
security.openshift.io |
securitycontextconstraints | Get Create Delete Bind Escalate List Watch Patch |
Permission to create custom SCCs. |
rbac.authorization.k8s.io |
clusterroles clusterrolebindings roles rolebindings |
Get Create Delete Bind Escalate List Watch Patch</br |
|
apiextensions.k8s.io |
customresourcedefinitions | Get Create Delete List Patch Update Watch |
Required by operator to perform operations CRDs. |
| "" | secrets pods pods/exec pods/log services services/finalizers endpoints persistentvolumeclaims persistentvolumes nodes events configmaps serviceaccounts namespaces |
Create Delete Get List Patch Update Watch |
|
config.openshift.io |
clusterversions | Get Create Delete List Patch Update Watch |
|
appsextensions |
deployments daemonsets replicasets statefulsets |
Get Create Delete List Patch Update Watch |
|
uds.ibm.com |
analyticsproxies analyticsproxies/status analyticsproxies/finalizers generatekeys generatekeys/status generatekeys/finalizers |
Get Create Delete List Patch Update Watch |
|
batch |
jobs cronjobs |
Get Create Delete List Patch Update Watch |
|
route.openshift.io |
routes routes/custom-host |
Get Create Delete List Patch Update Watch |
This permission is required to get routes |
ibmevents.ibm.com |
kafkas kafkas/status kafkaconnects kafkaconnects/status kafkaconnects2is kafkaconnects2is/status kafkaconnectors kafkaconnectors/status kafkamirrormakers kafkamirrormakers/status kafkabridges kafkabridges/status kafkamirrormaker2s kafkamirrormaker2s/status kafkarebalances kafkarebalances/status kafkatopics kafkatopics/status kafkausers kafkausers/status |
Get Create Delete List Patch Update Watch |
This permission is required for Kafka |
operators.coreos.com |
operatorgroups subscriptions clusterserviceversions |
Get Create Delete List Patch Update Watch |
|
authentication.k8s.io |
tokenreviews | Create | |
authorization.k8s.io |
subjectaccessreviews | Create | |
networking.k8s.io |
networkpolicies | Get Create Delete List Patch Update Watch |
|
autoscaling |
horizontalpodautoscalers | Get Create Delete List Patch Update Watch |
|
postgres-operator.crunchydata.com |
postgresclusters postgresclusters/status postgresclusters/finalizers |
Get Create Delete List Patch Update Watch |
Cloud Pak Platform Operator
The Cloud Pak Platform (zen-cpp-operator) operator provisions workloads that provide various Zen-powered features for the Cloud Pak Platform.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | secrets pods pods/exec pods/log |
create delete get list patch update watch |
|
| apps | deployments daemonsets replicasets statefulsets |
create delete get list patch update watch |
|
| zen.ibm.com | zencpps zencpps/status zencpps/finalizers |
create delete get list patch update watch |
|
| zen.cpd.ibm.com | zenservices | create delete get list patch update watch |
|
| operator.ibm.com | operandrequests operandregistries operandconfigs |
create delete get list patch update watch |
|
| operators.coreos.com | subscriptions operatorgroups |
create delete get list patch update watch |