Cluster role permissions

The operator has cluster-level permissions for the operations that it performs when the subscription is created for All Namespaces (openshift-operators namespace). Cluster administrators can control workload isolation by determining when and where permissions have authority over any individual namespace in the cluster.

A cluster role does not scope permission to a single namespace. However, when a cluster role is linked to a service account by using a role binding, the cluster role permissions apply to the namespace in which the role binding is created. A cluster role defines the permissions that are expressed in a single namespace when referenced by a role binding. Binding a role to a service account removes the need to duplicate roles in many namespaces.

Referring to the operator cluster role permissions can help you to understand the implications that they have on other workloads in a cluster.

Table 1. Operator cluster role permissions
API Groups Resources Verbs Description
security.openshift.io securitycontextconstraints
  • Use
  • List
Required by the operator and restricted to resourceNames of restricted SCC.
icp4a.ibm.com * * CP4BA CustomResourceDefinition.
extensions
  • podsecuritypolicies
  • ingresses
  • Get
  • List
  • Update
  • Create
  • Watch
Required to retrieve, update and create ingresses and pod security policies for the legacy services.
route.openshift.io routes
  • Get
Required to support retrieval of OpenShift routes.
""
  • configmaps
  • secrets
  • persistentvolumes
  • Get
  • Patch
  • Update
  • Create
  • Delete
Creating and managing resources like configmaps, secrets, and persistent volumes with in the CP4BA namespace.
"" pods
  • Get
  • List
  • Delete
The ability to manage deployed pods with the Get, List and Delete actions.
"" namespaces
  • Get
  • List
The ability to manage namespaces with the Get and List actions.
operator.ibm.com operandrequests
  • Get
  • List
  • Update
  • Create
  • Delete
  • Watch
  • Status
Required for creating and managing operand requests inside the namespace where Cloud Pak foundational services is deployed.
operator.ibm.com commonservices
  • Get
  • List
  • Update
  • Create
  • Delete
  • Patch
  • Watch
Required for creating and managing the Cloud Pak foundational services operator inside the namespace where Cloud Pak foundational services is deployed.
operator.openshift.io ingresscontrollers
  • Get
  • List
Permission for DNS and ingress controllers from the openshift-ingress-operator namespace to get router application domain.
operators.coreos.com
  • subscriptions
  • clusterserviceversions
  • Get
  • List
  • Update
  • Create
  • Delete
  • Patch
  • Watch
Used for managing OLM operator subscriptions in the CP4BA namespace.
operator.ibm.com businessteamsservices
  • Get
  • List
  • Create
  • Delete
  • Patch
  • Watch
For creating and managing Business Team Services from the namespace in which Cloud Pak foundational services is installed.
apiextensions.k8s.io customresourcedefinitions
  • Get
  • List
Used for creating the CustomResourceDefinitions (CRTs).
oidc.security.ibm.com clients * Used for creating and managing OIDC secrets.
postgresql.k8s.enterprisedb.io clusters
  • Get
  • List
  • Create
  • Update
  • Patch
  • Watch
Required for creating and managing the deployed PostgreSQL operator.
zen.cpd.ibm.com
  • zenservices
  • zenextension
  • zenextensions
  • Get
  • List
  • Create
  • Update
  • Delete
  • Patch
  • Watch
Required for creating and managing the Zen Service and Zen Extension deployed on the cluster.