Before you install an instance of IBM® Software Hub, you must ensure that the project where the
operators will be installed can watch the project where the IBM Software Hub
IBM Software Hubcontrol plane is installed. If you don't want to assign
the NamespaceScope operator a role that includes wildcard characters, you can
give the operator the minimum role-based access control to manage an instance of IBM Software Hub.
- Who needs to complete this task?
-
Cluster administrator A cluster administrator must
complete this task.
- When do you need to complete this task?
-
Complete this task only if you don't want to assign the NamespaceScope
operator a role that includes wildcard characters.
If you are willing to assign the NamespaceScope operator a role that
includes wildcard characters, see Applying the required permissions to the projects (namespaces) for an
instance of IBM Software Hub.
About this task
Use the show-minimum-rbac command to generate the YAML
files that you can use to give the NamespaceScope operator the minimum RBAC to
manage an instance of IBM Software Hub.
Important: This task is recommended only for customers with extremely rigid security
requirements. It is not recommended for most customers because it requires additional planning and
maintenance.
You must re-run the show-minimum-rbac command
each time you plan to install a newer version of IBM Software Hub to ensure that the operator has sufficient
permissions to manage the resources that are associated with the instance of IBM Software Hub, especially if you plan to install addition
services.
Procedure
-
Log the
cpd-cli in to the
Red Hat®
OpenShift® Container Platform cluster:
Remember:
CPDM_OC_LOGIN is an alias for the cpd-cli
manage
login-to-ocp command.
- Set the
ROLE_NAME environment variable to a
unique identifier for the role.
The name must meet the following requirements:
- Start with an alphanumeric character
- Contain only alphanumeric characters and dashes (-)
- Be a maximum of 20 characters
export ROLE_NAME=<role_name>
- Run the
cpd-cli
manage
show-minimum-rbac command to generate the YAML files that you can use
to create the roles with the minimum RBAC for the NamespaceScope
operator:
cpd-cli manage show-minimum-rbac \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=${COMPONENTS} \
--release=${VERSION} \
--role_name=${ROLE_NAME}
The command generates the following YAML file in the
work directory:
nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml
- Change to the
work
directory.
- Create the
nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role
from the YAML nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml file:
- Create the
nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role in the
operators project for the instance:
oc create \
-f nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml \
--namespace=${PROJECT_CPD_INST_OPERATORS}
- Create the
nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role in the
operands project for the instance:
oc create \
-f nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml \
--namespace=${PROJECT_CPD_INST_OPERANDS}
- Create the
nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role in any tethered
projects for the instance:
oc create \
-f nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml \
--namespace=${PROJECT_CPD_INSTANCE_TETHERED}
Repeat this step for each tethered project that is associated with this
instance of
IBM Software Hub.
Tip: If you
set the
PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print
the list of tethered projects to the
terminal:
echo $PROJECT_CPD_INSTANCE_TETHERED_LIST
Use
this information to set the PROJECT_CPD_INSTANCE_TETHERED environment
variable before you re-run the command.
- Create the role bindings:
- Create the role binding in the operators project for the instance:
oc create -f - << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
namespace: ${PROJECT_CPD_INST_OPERATORS}
labels:
managed-by: nss
subjects:
- kind: ServiceAccount
name: ibm-namespace-scope-operator
namespace: ${PROJECT_CPD_INST_OPERATORS}
roleRef:
kind: Role
name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
apiGroup: rbac.authorization.k8s.io
EOF
- Create the role binding in the operands project for the instance:
oc create -f - << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
namespace: ${PROJECT_CPD_INST_OPERANDS}
labels:
managed-by: nss
subjects:
- kind: ServiceAccount
name: ibm-namespace-scope-operator
namespace: ${PROJECT_CPD_INST_OPERATORS}
roleRef:
kind: Role
name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
apiGroup: rbac.authorization.k8s.io
EOF
- Create the role binding in any tethered projects for the instance:
oc create -f - << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
namespace: ${PROJECT_CPD_INSTANCE_TETHERED}
labels:
managed-by: nss
subjects:
- kind: ServiceAccount
name: ibm-namespace-scope-operator
namespace: ${PROJECT_CPD_INST_OPERATORS}
roleRef:
kind: Role
name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
apiGroup: rbac.authorization.k8s.io
EOF
Repeat this step for each tethered project that is associated with this instance of
IBM Software Hub.
Tip: If you set the
PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print the list of tethered
projects to the
terminal:
echo $PROJECT_CPD_INSTANCE_TETHERED_LIST
Use
this information to set the PROJECT_CPD_INSTANCE_TETHERED environment
variable before you re-run the command.