Question & Answer
Question
Can a non-cluster admin role create a CustomResourceDefinition?
Answer
By default, you need to have cluster-admin role to create a CustomResourceDefinition. Here is the OpenShift document to support the facts and it is applicable to IBM Cloud Private too.
But, you can create a new ClusterRole, example rbac-manager and assign the user to that role. Here is the sample ClusterRole for a custom controller
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: rbac-manager
chart: rbac-manager-0.3.1
heritage: Tiller
release: rbac-manager
name: rbac-manager
rules:
- apiGroups:
- rbacmanager.reactiveops.io
resources:
- rbacdefinitions
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
- authorization.k8s.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- '*'
Notice that it allows access to an apiGroup called rbacmanager.reactiveops.io, which is itself CustomResourceDefinition apiGroup. A rbacdefinition is a CustomResourceDefinition.
In addition, you can grant access to CustomResourceDefinition in general:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- "*"
Create a file and paste the content and execute the command to create the definition
kubectl apply -f <name of the file>
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"ARM Category":[{"code":"a8m50000000Ck42AAC","label":"IBM Cloud Private->Security"}],"ARM Case Number":"TS003613156","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
09 June 2020
UID
ibm16211912