Applying the required permissions to the projects (namespaces) for an instance of IBM Cloud Pak for Data

Before you install an instance of IBM Cloud Pak for Data, you must ensure that the project where the operators will be installed can watch the project where the Cloud Pak for Data control plane and services are installed.

Installation phase
You are not here. Setting up a client workstation
You are not here. Setting up a cluster
You are not here. Collecting required information
You are not here. Preparing to run installs from a private container registry
You are not here. Preparing the cluster for Cloud Pak for Data
You are here icon. Preparing to install an instance of Cloud Pak for Data
You are not here. Installing an instance of Cloud Pak for Data
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?

Repeat as needed If you plan to install multiple instances of Cloud Pak for Data, you must repeat this task for each instance that you plan to install.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

You must run the authorize-instance-topology command to apply the required permissions to the projects that are associated with an instance of IBM Cloud Pak for Data.

The command:
  • Creates the specified projects if they don't already exist.
  • Creates the NamespaceScope operator in the operators project.
  • Applies the require role to the operands project and any tethered projects.
  • Binds the applied role to the service account of the NamespaceScope operator.

Procedure

To apply the required permissions to the projects:

  1. Run the cpd-cli manage login-to-ocp command to log in to the cluster as a user with sufficient permissions to complete this task. For example: 
    cpd-cli manage login-to-ocp \
--username=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
    Tip: The login-to-ocp command takes the same input as the oc login command. Run oc login --help for details.
  2. Run the cpd-cli manage authorize-instance-topology to apply the required permissions to the projects.
    Tip: Before you run this command against your cluster, you can preview the oc commands that this command will issue on your behalf by running the command with the --preview=true option.

    The oc commands are saved to the preview.sh file in the work directory.

    Instances without tethered projects 
    cpd-cli manage authorize-instance-topology \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS}
    Instances with tethered projects 
    cpd-cli manage authorize-instance-topology \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--additional_ns=${PROJECT_CPD_INSTANCE_TETHERED_LIST}

What to do next

Now that you've applied the required permissions to the projects, you're ready to complete Authorizing a user to act as an IBM Cloud Pak for Data instance administrator.