Authorizing foundational services to perform operations on workloads in a namespace

Manage operator and service workload authority across namespaces.

When you install the IBM Cloud Pak foundational services operator, it installs the IBM NamespaceScope Operator in the ibm-common-services namespace. The IBM Cloud Pak foundational services operator also deploys two NamespaceScope resources in the ibm-common-services namespace: common-service and nss-managedby-odlm. The Operand Deployment Lifecycle Manager manages the nss-managedby-odlm custom resource (CR) and adds the namespace of the OperandRequest into this CR. You can also manually add a namespace in the spec.namespaceMembers section of the common-service CR in the ibm-common-services namespace to authorize foundational services with permissions to that namespace. See Updating the CommonService custom resource. If you want to use the command-line interface (CLI) to update the NamespaceScope custom resource, see Updating the NamespaceScope CR by using the CLI.

The IBM NamespaceScope Operator automatically extends the watch and service account permission scope of operators and service workloads to other namespaces in your OpenShift cluster. The operator runs in the ibm-common-services namespace. It watches the target namespace and extends the roles and role bindings of the operator and associated workloads to the namespace that is specified in a NamespaceScope CR.

From foundational services version 3.22 onwards, the runtime permissions of the operator from the original namespace are aggregated into a role for the operator in the target namespace. The name of role in the target namespace is nss-runtime-managed-role-from-<original-namespace>.

Following is a sample YAML specification of the NamespaceScope CR:

apiVersion: operator.ibm.com/v1
kind: NamespaceScope
metadata:
  name: namespacescope
  namespace: ibm-common-services
spec:
  namespaceMembers:
    - <your-IBM-Cloud-Pak-namespace>
    - <any-other-namespace>
  configmapName: namespace-scope
  restartLabels:
    intent: projected

• The namespaceMembers contains a list of namespaces in the cluster that have the following requirement:

  • These namespaces need to be watched by specific operators or operands that run in the ibm-common-services namespace.
  • The service accounts of the specific operator or operand pods in the ibm-common-services namespace are authorized to these namespaces.

  The namespace where you create the NamespaceScope CR, that is the ibm-common-services, is always considered as a namespace member, even if you do not add it to the list in the CR.

• The configmapName is the name of a configmap that is created to contain a namespaces key. The key has a common-separated list of the namespaces that need to be watched. All operators and operands that want to participate in namespace extension must be configured to watch this key. The configmapName parameter is optional. The default value is namespace-scope. See the following example:

   env:
     - name: WATCH_NAMESPACE
       valueFrom:
         configMapKeyRef:
           name: namespace-scope
           key: namespaces
  

• The restartLabels list specifies the labels for the operator and operand pods that need to be restarted when the namespaceMembers list changes. The pods restart so that they can reset their watch parameters. Moreover, the IBM NamespaceScope Operator copies the roles that are used by these pods to the target namespaces that are in the namespaceMembers list. The restartLabels parameter is optional. The default label is intent=projected.

Updating the NamespaceScope CR by using the CLI

Use the following commands to add a namespace in the spec.namespaceMembers section of the NamespaceScope CR:

1. Get the namespaces that are in the namespaceMembers list to check whether your namespace is already in the list.

   oc -n ibm-common-services get namespacescope common-service -o yaml
   

2. If required, add a namespace in the spec.namespaceMembers section of the CR.

   1. Open the CR for editing.

      oc -n ibm-common-services edit namespacescope common-service
      

   2. Add the namespace to the spec.namespaceMembers list.
   3. Save the changes and close the CR.

3. Verify whether the namespace is added to the configmap.

   oc -n ibm-common-services get configmap namespace-scope -o yaml
   

IBM NamespaceScope Operator (Restricted)

By default, the IBM NamespaceScope Operator has cluster administrator permissions, which you can use to automatically authorize permissions in your IBM Cloud Pak namespace.

If you do not want this operator to have cluster administrator permissions, you can add manualManagement: true in the spec section of the CommonService CR. For more information about how to access the CommonService CR, see Configuring IBM Cloud Pak foundational services by using the CommonService custom resource. See the following sample:

apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
  name: common-service
  namespace: ibm-common-services
spec:
  size: medium
  manualManagement: true

When you add manualManagement: true, the IBM NamespaceScope Operator Restricted is installed in place of the IBM NamespaceScope Operator.

The IBM NamespaceScope Operator Restricted has permission only within the ibm-common-services namespace. You need to manually authorize the IBM NamespaceScope Operator Restricted with permissions to your target namespace. After you create the CR with manualManagement: true, complete these steps from your Red Hat® OpenShift® Container Platform command-line interface (CLI).

1. Log in to your cluster as a cluster administrator by using the oc login command.

2. Download the script that you need to manually authorize namespaces:

   • For foundational services installer versions 3.6 and 3.7, download the following script:

     wget https://raw.githubusercontent.com/IBM/ibm-namespace-scope-operator/release-1.1/scripts/authorize-namespace.sh
     

   • For foundational services installer versions 3.8 to 3.21, download the following script:

     wget https://raw.githubusercontent.com/IBM/ibm-namespace-scope-operator/release-ltsr/scripts/authorize-namespace.sh
     

   • For foundational services installer version 3.22 and later, download the following script:

     wget https://raw.githubusercontent.com/IBM/ibm-namespace-scope-operator/master/scripts/authorize-namespace.sh
     

3. Run the script.

   ./authorize-namespace.sh <namespace>
   

   For example, if you want the service account of the IBM NamespaceScope Operator Restricted that is in the ibm-common-services namespace to have namespace administrator permission in the cloudpak-namespace namespace, which is the namespace where IBM Cloud Pak is installed, you would run the following command:

   ./authorize-namespace.sh cloudpak-namespace
   

   To revoke the permission, you would run this command:

   ./authorize-namespace.sh cloudpak-namespace -delete