Kubernetes API Access

Kubernetes privileges are needed by the Cloud Pak for Business Automation operators to install and manage deployments. The operators use service accounts that are granted specific privileges. You can access the Kubernetes API by using the kubectl command line tool.

To access a cluster, you need to know the location of the cluster and have credentials to access it. You can check the location and credentials by running the following command:

kubectl config view

To access the REST API with an HTTP client, you can either run kubectl in proxy mode or you can provide the location and credentials directly to the HTTP client. In proxy mode, you can verify the identity of the API server by using a self-signed certificate. Direct access over HTTP needs you to import a root certificate into your client.

Role-based access control (RBAC) helps to define access to the Kubernetes API resources based on the roles of users within your organization. An RBAC role contains rules that represent a set of permissions. A role binding grants the permissions that are defined in a role to a user or a set of users (users, groups, or service accounts).

All Cloud Pak for Business Automation operators and some patterns and components create a service account to provide an identity for running its processes. The operations that require user access use the binding of the service account to a role.

The following sections provide the service accounts and roles for each operator and component. Each role that binds to an operator service account defines the rules for what you can do with the Kubernetes API.
Each role that binds to a component service account defines the rules for what you can do with the Kubernetes API.

Cloud Pak for Business Automation (CP4BA) multi-pattern operator

The CP4BA multi-pattern operator creates the following service account:

ibm-cp4a-operator

This service account binds to the following role:

ibm-cp4a-operator

This role has the following rules:

- rules:
  - apiGroups:
    - ""
    resources:
    - pods
    - services
    - endpoints
    - persistentvolumeclaims
    - events
    - configmaps
    - secrets
    - serviceaccounts
    - namespaces
    verbs:
    - watch
    - get
    - list
    - create
    - delete
    - update
    - patch
    - use
  - apiGroups:
    - apps
    resources:
    - deployments
    - replicasets
    - statefulsets
    verbs:
    - create
    - list
    - delete
    - update
    - patch
    - get
    - watch
  - apiGroups:
    - monitoring.coreos.com
    resources:
    - servicemonitors
    verbs:
    - get
    - create
  - apiGroups:
    - apps
    resourceNames:
    - ibm-cp4a-operator
    resources:
    - deployments/finalizers
    verbs:
    - update
  - apiGroups:
    - icp4a.ibm.com
    resources:
    - '*'
    verbs:
    - get
    - list
    - update
    - patch
    - delete
    - create
    - watch
  - apiGroups:
    - ""
    resources:
    - pods/exec
    - pods/log
    verbs:
    - create
    - get
    - watch
    - list
  - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    - podsecuritypolicies
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    - ingresses
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - roles
    - rolebindings
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - batch
    resources:
    - jobs
    - cronjobs
    - deployments
    verbs:
    - create
    - list
    - delete
    - update
    - patch
    - get
    - wait
    - watch
  - apiGroups:
    - ""
    - route.openshift.io
    resources:
    - routes
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - ""
    - route.openshift.io
    resources:
    - routes/custom-host
    verbs:
    - get
    - create
    - list
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses
    - jobs
    - deployments
    - networkpolicies
    - replicasets
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
  - apiGroups:
    - core.automation.ibm.com
    resources:
    - cartridges
    - automationuiconfigs
    verbs:
    - create
    - watch
    - list
    - get
    - delete
    - update
    - patch
  - apiGroups:
    - base.automation.ibm.com
    resources:
    - cartridgerequirements
    - automationbases
    verbs:
    - create
    - list
    - get
    - update
    - patch
    - watch
    - delete
  - apiGroups:
    - eventprocessing.automation.ibm.com
    resources:
    - eventprocessors
    verbs:
    - create
    - get
    - delete
    - list
    - patch
    - watch
  - apiGroups:
    - insightsengine.automation.ibm.com
    resources:
    - insightsengines
    verbs:
    - create
    - get
    - list
    - delete
    - patch
    - update
    - watch
  - apiGroups:
    - certmanager.k8s.io
    resources:
    - issuers
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - cert-manager.io
    resources:
    - issuers
    - certificates
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - oidc.security.ibm.com
    resources:
    - clients
    verbs:
    - create
    - delete
    - get
    - list
    - watch
    - patch
  - apiGroups:
    - zen.cpd.ibm.com
    resources:
    - zenservices
    - zenextensions
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - ibmevents.ibm.com
    resources:
    - kafkas
    - kafkausers
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - elastic.automation.ibm.com
    resources:
    - elasticsearches
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - elasticsearch.opencontent.ibm.com
    resources:
    - elasticsearchclusters
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - icp4a.ibm.com
    resources:
    - federatedsystems
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - icp4a.ibm.com
    resources:
    - workflowruntimes
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - icp4a.ibm.com
    resources:
    - businessautomationmachinelearnings
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch

CP4BA Foundation operator

The CP4BA Foundation operator creates the following service account:

icp4a-foundation-operator

This service account binds to the following role:

icp4a-foundation-operator

This role has the following rules:

- rules:
  - apiGroups:
    - ""
    resources:
    - pods
    - services
    - endpoints
    - persistentvolumeclaims
    - events
    - configmaps
    - secrets
    - serviceaccounts
    verbs:
    - '*'
  - apiGroups:
    - apps
    resources:
    - deployments
    - daemonsets
    - replicasets
    - statefulsets
    verbs:
    - '*'
  - apiGroups:
    - monitoring.coreos.com
    resources:
    - servicemonitors
    verbs:
    - get
    - create
  - apiGroups:
    - apps
    resourceNames:
    - icp4a-foundation-operator
    resources:
    - deployments/finalizers
    verbs:
    - update
  - apiGroups:
    - icp4a.ibm.com
    resources:
    - '*'
    verbs:
    - '*'
  - apiGroups:
    - ""
    resources:
    - pods/exec
    - pods/log
    verbs:
    - '*'
  - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - '*'
  - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    - podsecuritypolicies
    verbs:
    - '*'
  - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    - ingresses
    verbs:
    - '*'
  - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - roles
    - rolebindings
    verbs:
    - '*'
  - apiGroups:
    - batch
    resources:
    - jobs
    - cronjobs
    - deployments
    verbs:
    - '*'
  - apiGroups:
    - ""
    - route.openshift.io
    resources:
    - routes
    verbs:
    - '*'
  - apiGroups:
    - ""
    - route.openshift.io
    resources:
    - routes/custom-host
    verbs:
    - '*'
  - apiGroups:
    - extensions
    resources:
    - ingresses
    - jobs
    - deployments
    - networkpolicies
    - replicasets
    verbs:
    - '*'
  - apiGroups:
    - oidc.security.ibm.com
    resources:
    - clients
    verbs:
    - '*'

CP4BA FileNet Content Manager operator

The CP4BA FileNet® Content Manager operator creates the following service account:

ibm-cp4a-content-operator

This service account binds to the following role:

ibm-content-operator

This role has the following rules:

- rules:
  - apiGroups:
    - ""
    resources:
    - pods
    - services
    - endpoints
    - persistentvolumeclaims
    - events
    - configmaps
    - secrets
    - serviceaccounts
    - namespaces
    verbs:
    - watch
    - get
    - list
    - create
    - delete
    - update
    - patch
    - use
  - apiGroups:
    - apps
    resources:
    - deployments
    - daemonsets
    - replicasets
    - statefulsets
    verbs:
    - create
    - list
    - delete
    - update
    - patch
    - get
    - watch
  - apiGroups:
    - monitoring.coreos.com
    resources:
    - servicemonitors
    verbs:
    - get
    - list
    - watch
    - create
  - apiGroups:
    - apps
    resourceNames:
    - ibm-content-operator
    resources:
    - deployments/finalizers
    verbs:
    - update
  - apiGroups:
    - icp4a.ibm.com
    resources:
    - '*'
    verbs:
    - get
    - list
    - update
    - patch
    - delete
    - create
    - watch
  - apiGroups:
    - ""
    resources:
    - pods/exec
    - pods/log
    verbs:
    - create
    - get
    - watch
    - list
  - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    - podsecuritypolicies
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    - ingresses
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - roles
    - rolebindings
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - batch
    resources:
    - jobs
    - cronjobs
    - deployments
    verbs:
    - create
    - list
    - delete
    - update
    - patch
    - get
    - wait
    - watch
  - apiGroups:
    - ""
    - route.openshift.io
    resources:
    - routes
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - ""
    - route.openshift.io
    resources:
    - routes/custom-host
    verbs:
    - get
    - create
    - list
    - delete
    - update
    - patch
    - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses
    - jobs
    - deployments
    - networkpolicies
    - replicasets
    verbs:
    - get
    - list
    - create
    - delete
    - update
    - patch
  - apiGroups:
    - core.automation.ibm.com
    resources:
    - cartridges
    - automationuiconfigs
    verbs:
    - create
    - watch
    - list
    - get
    - delete
    - update
    - patch
  - apiGroups:
    - base.automation.ibm.com
    resources:
    - cartridgerequirements
    - automationbases
    verbs:
    - create
    - list
    - get
    - update
    - patch
    - watch
    - delete
  - apiGroups:
    - eventprocessing.automation.ibm.com
    resources:
    - eventprocessors
    verbs:
    - create
    - get
    - delete
    - list
    - patch
    - watch
  - apiGroups:
    - insightsengine.automation.ibm.com
    resources:
    - insightsengines
    verbs:
    - create
    - get
    - list
    - delete
    - patch
    - update
    - watch
  - apiGroups:
    - certmanager.k8s.io
    resources:
    - issuers
    verbs:
    - create
    - delete
    - get
    - list          
    - patch
    - update
    - watch
  - apiGroups:
    - oidc.security.ibm.com
    resources:
    - clients
    verbs:
    - create
    - delete
    - get
    - list
    - watch
    - patch

CP4BA Insights Engine operator

The CP4BA Insights Engine operator creates the following service account:

ibm-insights-engine-operator

This service account binds to the following role:

ibm-insights-engine-operator

This role has the following rules:

- rules:
  - apiGroups:
    - ""
    resources:
    - pods
    - pods/exec
    - pods/log
    - services
    - endpoints
    - persistentvolumeclaims
    - events
    - configmaps
    - secrets
    - serviceaccounts
    - namespaces
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    - deployments/finalizers
    - daemonsets
    - replicasets
    - statefulsets
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - monitoring.coreos.com
    resources:
    - servicemonitors
    verbs:
    - get
    - create
    - delete
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resourceNames:
    - ibm-insights-engine-operator
    resources:
    - deployments/finalizers
    verbs:
    - update
  - apiGroups:
      - icp4a.ibm.com
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
    - certmanager.k8s.io
    resources:
    - certificates
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - certmanager.k8s.io
    resources:
    - issuers
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - cert-manager.io
    resources:
    - issuers
    - certificates
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch  
  - apiGroups:
    - ""
    resources:
    - pods/exec
    - pods/log
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - autoscaling
    resources:
    - horizontalpodautoscalers
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    - podsecuritypolicies
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    - ingresses
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - rbac.authorization.k8s.io
    resources:
    - roles
    - rolebindings
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - batch
    resources:
    - jobs
    - cronjobs
    - deployments
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - ""
    - route.openshift.io
    resources:
    - routes
    - routes/custom-host
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - extensions
    resources:
    - ingresses
    - jobs
    - deployments
    - networkpolicies
    - replicasets
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - flink.automation.ibm.com
    resources:
    - flinkclusters
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - flink.ibm.com
    resources:
    - flinkdeployments
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - zen.cpd.ibm.com
    resources:
    - zenextensions
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch

CP4BA Workflow Process Service operator

Each Workflow Process Service instance creates one service account for pod use. 

ibm-cp4a-wfps-operator-controller-manager

This service account binds to three roles:

ibm-cp4a-wfps-operator-controller-manager-service-cert

This role has the following rules:

- rules:
- apiGroups:
  - operators.coreos.com
  resourceNames:
  - ibm-cp4a-wfps-operator.v25.0.0
  resources:
  - operatorconditions
  verbs:
  - get
  - update
  - patch
ibm-cp4a-wfps-operator.v25.0.0

This role has the following rules:

- rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
ibm-cp4a-wfps-operator.v25.0.0-ibm-cp4a-wfps-operator-<ten digit number>

This role has the following rules:

- rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch

This service account also binds to a cluster role:

ibm-cp4a-wfps-operator.v25.0.0-<ten digit number>

This cluster role has the following rules:

- rules:
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - replicasets
  - statefulsets
  verbs:
  - '*'
- apiGroups:
  - authentication.k8s.io
  resources:
  - subjectaccessreviews
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers/finalizers
  verbs:
  - update
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - batch
  resources:
  - cronjobs
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - events
  - persistentvolumeclaims
  - pods
  - pods/exec
  - secrets
  - serviceaccounts
  - services
  - services/finalizers
  verbs:
  - '*'
- apiGroups:
  - icp4a.ibm.com
  resources:
  - icp4aclusters
  verbs:
  - '*'
- apiGroups:
  - icp4a.ibm.com
  resources:
  - icp4aclusters.icp4a.ibm.com
  verbs:
  - '*'
- apiGroups:
  - icp4a.ibm.com
  resources:
  - wfpsruntimes
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - icp4a.ibm.com
  resources:
  - wfpsruntimes/finalizers
  verbs:
  - update
- apiGroups:
  - icp4a.ibm.com
  resources:
  - wfpsruntimes/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - create
  - delete
- apiGroups:
  - oauth.openshift.io
  resources:
  - oauthclients
  verbs:
  - '*'
- apiGroups:
  - oidc.security.ibm.com
  resources:
  - clients
  verbs:
  - '*'
- apiGroups:
  - oidc.security.ibm.com
  resources:
  - clients.oidc.security.ibm.com
  verbs:
  - '*'
- apiGroups:
  - operator.ibm.com
  resources:
  - operandrequests
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - operator.ibm.com
  resources:
  - operandrequests/finalizers
  verbs:
  - update
- apiGroups:
  - operator.ibm.com
  resources:
  - operandrequests/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  - podsecuritypolicies
  verbs:
  - '*'
- apiGroups:
  - postgresql.k8s.enterprisedb.io
  resources:
  - clusters
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - postgresql.k8s.enterprisedb.io
  resources:
  - clusters/finalizers
  verbs:
  - update
- apiGroups:
  - postgresql.k8s.enterprisedb.io
  resources:
  - clusters/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  - clusterroles
  verbs:
  - '*'
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - '*'
- apiGroups:
  - route.openshift.io
  resources:
  - routes
  - routes/custom-host
  verbs:
  - '*'
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create

CP4BA Process Federation Server operator

Each Process Federation Server instance creates one service account:

ibm-cp4a-pfs-operator-controller-manager

This service account binds to two roles:

ibm-cp4a-pfs-operator.v25.0.0-<ten digit number>

This role has the following rules:

- rules:
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - apps
    resources:
      - deployments
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - apps
    resources:
      - replicasets
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - apps
    resources:
      - statefulsets
  - verbs:
      - get
      - list
  - verbs:
      - '*'
    apiGroups:
      - batch
    resources:
      - jobs
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - coordination.k8s.io
    resources:
      - leases
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - configmaps
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - events
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - pods
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - secrets
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - serviceaccounts
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - services
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - icp4a.ibm.com
    resources:
      - icp4aclusters
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - icp4a.ibm.com
    resources:
      - icp4aclusters.icp4a.ibm.com
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - icp4a.ibm.com
    resources:
      - processfederationservers
  - verbs:
      - update
    apiGroups:
      - icp4a.ibm.com
    resources:
      - processfederationservers/finalizers
  - verbs:
      - get
      - patch
      - update
    apiGroups:
      - icp4a.ibm.com
    resources:
      - processfederationservers/status
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - networking.k8s.io
    resources:
      - networkpolicies
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - oauth.openshift.io
    resources:
      - oauthclients
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - oidc.security.ibm.com
    resources:
      - clients
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - oidc.security.ibm.com
    resources:
      - clients.oidc.security.ibm.com
  - verbs:
      - '*'
    apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
      - podsecuritypolicies
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - rolebindings
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - roles
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - route.openshift.io
    resources:
      - routes
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - route.openshift.io
    resources:
      - routes/custom-host
ibm-cp4a-pfs-operator.v25.0.0

This role has the following rules:

- rules:
  - verbs:
      - get
      - update
      - patch
    apiGroups:
      - operators.coreos.com
    resources:
      - operatorconditions
    resourceNames:
      - ibm-cp4a-pfs-operator.v25.0.0

CP4BA Workflow Runtime operator

The CPBA Workflow Runtime operator creates the following service account:

ibm-workflow-operator-sa

This service account binds to two roles:

ibm-workflow-operator.v25.0.0

This role has the following rules:


 rules:
  - verbs:
      - get
      - update
      - patch
    apiGroups:
      - operators.coreos.com
    resources:
      - operatorconditions
    resourceNames:
      - ibm-workflow-operator.v25.0.0
ibm-workflow-operator.v25.0.0-ibm-workflow-operator--<ten digit number>

This role has the following rules:

rules:
  - verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
    apiGroups:
      - ''
    resources:
      - configmaps
  - verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
    apiGroups:
      - coordination.k8s.io
    resources:
      - leases
  - verbs:
      - create
      - patch
    apiGroups:
      - ''
    resources:
      - events
ibm-workflow-operator.v25.0.0-<ten digit number>
This service account also binds to a cluster role. This cluster role has the following rules:
rules:
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - apps
    resources:
      - deployments
      - replicasets
      - statefulsets
  - verbs:
      - '*'
    apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
  - verbs:
      - '*'
    apiGroups:
      - batch
    resources:
      - jobs
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - coordination.k8s.io
    resources:
      - leases
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - configmaps
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - configmaps
      - events
      - persistentvolumeclaims
      - pods
      - secrets
      - serviceaccounts
      - services
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ''
    resources:
      - events
      - persistentvolumeclaims
      - pods
      - secrets
      - serviceaccounts
      - services
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - elastic.automation.ibm.com
    resources:
      - elasticsearches
  - verbs:
      - update
    apiGroups:
      - elastic.automation.ibm.com
    resources:
      - elasticsearches/finalizers
  - verbs:
      - get
      - patch
      - update
    apiGroups:
      - elastic.automation.ibm.com
    resources:
      - elasticsearches/status
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - elasticsearch.opencontent.ibm.com
    resources:
      - elasticsearchclusters
  - verbs:
      - update
    apiGroups:
      - elasticsearch.opencontent.ibm.com
    resources:
      - elasticsearchclusters/finalizers
  - verbs:
      - get
      - patch
      - update
    apiGroups:
      - elasticsearch.opencontent.ibm.com
    resources:
      - elasticsearchclusters/status
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - ibmevents.ibm.com
    resources:
      - kafkas
      - kafkausers
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - icp4a.ibm.com
    resources:
      - businessautomationmachinelearnings
  - verbs:
      - update
    apiGroups:
      - icp4a.ibm.com
    resources:
      - businessautomationmachinelearnings/finalizers
  - verbs:
      - get
      - patch
      - update
    apiGroups:
      - icp4a.ibm.com
    resources:
      - businessautomationmachinelearnings/status
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - icp4a.ibm.com
    resources:
      - contents
      - contents.icp4a.ibm.com
      - federatedsystems
      - federatedsystems.icp4a.ibm.com
      - processfederationservers
      - processfederationservers.icp4a.ibm.com
  - verbs:
      - get
    apiGroups:
      - icp4a.ibm.com
    resources:
      - contents/status
      - federatedsystems/status
      - processfederationservers/status
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - icp4a.ibm.com
    resources:
      - icp4aclusters
      - icp4aclusters.icp4a.ibm.com
      - workflowruntimes
      - workflowruntimes/status
  - verbs:
      - update
    apiGroups:
      - icp4a.ibm.com
    resources:
      - workflowruntimes/finalizers
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
      - networkpolicies
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - oauth.openshift.io
    resources:
      - oauthclients
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - oidc.security.ibm.com
    resources:
      - clients
      - clients.oidc.security.ibm.com
  - verbs:
      - '*'
    apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
      - podsecuritypolicies
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - rolebindings
      - roles
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - route.openshift.io
    resources:
      - routes
      - routes/custom-host
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - zen.cpd.ibm.com
    resources:
      - zenextensions
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - zen.cpd.ibm.com
    resources:
      - zenextensions/status
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - zen.cpd.ibm.com
    resources:
      - zenservices

CP4BA Document Processing Engine operator

The CP4BA Document Processing Engine operator deploys the engine for Automation Document Processing.

The CP4BA Document Processing Engine operator creates the following service account:

ibm-cp4a-dpe-operator

This service account binds to two roles:

ibm-dpe-operator.v25.0.0

This role has the following rules:

rules:
  - verbs:
      - get
      - update
      - patch
    apiGroups:
      - operators.coreos.com
    resources:
      - operatorconditions
    resourceNames:
      - ibm-dpe-operator.v25.0.0

ibm-dpe-operator.v24.0.0-ibm-cp4a-dpe-operator-<unique-ID>

This role has the following rules:

rules:
  - verbs:
      - '*'
    apiGroups:
      - ''
    resources:
      - pods
      - pods/exec
      - pods/log
      - services
      - endpoints
      - persistentvolumeclaims
      - events
      - configmaps
      - secrets
      - serviceaccounts
  - verbs:
      - '*'
    apiGroups:
      - apps
    resources:
      - deployments
      - daemonsets
      - replicasets
      - statefulsets
  - verbs:
      - get
      - create
    apiGroups:
      - monitoring.coreos.com
    resources:
      - servicemonitors
  - verbs:
      - update
    apiGroups:
      - apps
    resources:
      - deployments/finalizers
    resourceNames:
      - ibm-cp4a-operator
      - ibm-cp4a-dpe-operator
  - verbs:
      - '*'
    apiGroups:
      - icp4a.ibm.com
      - dpe.ibm.com
    resources:
      - '*'
  - verbs:
      - '*'
    apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
  - verbs:
      - '*'
    apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
      - podsecuritypolicies
  - verbs:
      - '*'
    apiGroups:
      - networking.k8s.io
    resources:
      - networkpolicies
      - ingresses
  - verbs:
      - '*'
    apiGroups:
      - rbac.authorization.k8s.io
    resources:
      - roles
      - rolebindings
  - verbs:
      - '*'
    apiGroups:
      - batch
    resources:
      - jobs
      - cronjobs
      - deployments
  - verbs:
      - '*'
    apiGroups:
      - ''
      - route.openshift.io
    resources:
      - routes
      - routes/custom-host
  - verbs:
      - '*'
    apiGroups:
      - extensions
    resources:
      - ingresses
      - jobs
      - deployments
      - networkpolicies
      - replicasets
  - verbs:
      - '*'
    apiGroups:
      - core.automation.ibm.com
    resources:
      - cartridges
      - automationuiconfigs
  - verbs:
      - '*'
    apiGroups:
      - base.automation.ibm.com
    resources:
      - cartridgerequirements
      - automationbases
  - verbs:
      - '*'
    apiGroups:
      - certmanager.k8s.io
    resources:
      - issuers
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - zen.cpd.ibm.com
    resources:
      - zenservices
      - zenextensions

This service account also binds to a cluster role:

ibm-dpe-operator.v25.0.0-<unique-ID>

This cluster role has the following rules:

rules:
  - verbs:
      - use
      - list
    apiGroups:
      - security.openshift.io
    resources:
      - securitycontextconstraints
    resourceNames:
      - restricted
  - verbs:
      - '*'
    apiGroups:
      - icp4a.ibm.com
    resources:
      - '*'
  - verbs:
      - '*'
    apiGroups:
      - extensions
    resources:
      - podsecuritypolicies
  - verbs:
      - '*'
    apiGroups:
      - policy
    resources:
      - podsecuritypolicies
  - verbs:
      - get
    apiGroups:
      - route.openshift.io
    resources:
      - routes
  - verbs:
      - list
    apiGroups:
      - storage.k8s.io
    resources:
      - storageclasses
  - verbs:
      - get
      - create
      - patch
      - update
      - delete
    apiGroups:
      - ''
    resources:
      - configmaps
      - secrets
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - operator.ibm.com
    resources:
      - operandrequests
  - verbs:
      - get
    apiGroups:
      - operator.ibm.com
    resources:
      - operandrequests/status
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - operator.ibm.com
    resources:
      - commonservices
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - operators.coreos.com
    resources:
      - subscriptions
      - clusterserviceversions
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - db2u.databases.ibm.com
    resources:
      - db2uclusters
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - db2u.databases.ibm.com/v1
    resources:
      - db2uclusters
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - db2u.databases.ibm.com/v1.Db2uCluster
    resources:
      - db2uclusters
  - verbs:
      - '*'
    apiGroups:
      - operator.ibm.com
    resources:
      - businessteamsservices
  - verbs:
      - list
      - get
      - delete
    apiGroups:
      - ''
    resources:
      - pods
  - verbs:
      - get
      - list
    apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - zen.cpd.ibm.com
    resources:
      - zenservices
      - zenextensions

Automation Decision Services

For the Automation Decision Services operator, 2 roles are created:

ibm-ads-operator.v25.0.0

rules:
- apiGroups:
  - operators.coreos.com
  resourceNames:
  - ibm-ads-operator.v24.0.0
  resources:
  - operatorconditions
  verbs:
  - get
  - update
  - patch

ibm-ads-operator.v25.0.0-ibm-ads-operator-sa-<10 digits>

rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch
- apiGroups:
  - icp4a.ibm.com
  resources:
  - icp4aads
  - icp4aautomationdecisionservices
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - icp4a.ibm.com
  resources:
  - icp4aads/finalizers
  - icp4aautomationdecisionservices/finalizers
  verbs:
  - update
- apiGroups:
  - icp4a.ibm.com
  resources:
  - icp4aads/status
  - icp4aautomationdecisionservices/status
  verbs:
  - get
  - patch
  - update

For the Automation Decision Services operands, a dedicated role with no permission is created for most of the workloads:

icp4adeploy-ads-noperm-role

rules: null

The ltpa job has a dedicated role that is used to create its secret:

icp4adeploy-ads-ltpa-role

rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - update
  - create
  - patch
  - delete

Most pods are using a dedicated role that only grants the permission to know other pods:

icp4adeploy-ads-get-ready-pods-role

rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - list

Automation Document Processing

By default, the Content Analyzer component of Automation Document Processing uses the following service account.

<cr-name>-aca-service-account

This service account binds to the role <cr-name>-aca-role that has the following rules: 

rules:
  - verbs:
      - get
      - watch
      - list
    apiGroups:
      - ''
    resources:
      - pods
  - verbs:
      - get
      - watch
      - list
    apiGroups:
      - batch
    resources:
      - jobs
  - verbs:
      - get
      - update
      - create
      - patch
      - delete
    apiGroups:
      - ''
    resources:
      - secrets
      - endpoints
  - verbs:
      - get
      - watch
      - list
      - create
      - update
      - patch
      - delete
    apiGroups:
      - ''
    resources:
      - configmaps
Note:

A custom service account can be defined for the Content Analyzer component in the deployment CR with the ca_configuration.global.service_account parameter. For reference, see IBM Automation Document Processing parameters.

Business Automation Application

Each Business Automation Application engine instance creates only one service account for pod use, based on the name of the custom resource (cr) and the instance name. For example, the playback AE instance name is pbk and the default template that is used for a production engine instance name is workspace:

<cr-name>-<ae-instance-name>-aae-ae-sa

No role is created for application engine. No Kubernetes access is needed.

Business Automation Workflow

The Business Automation Workflow server creates the following service account:

<cr-name>-<workflow instance name>-baw-server-sa

This service account binds to a role that has the following rules:

- rules:
  - verbs:
      - update
      - get
      - create
      - delete
      - patch
    apiGroups:
      - ''
    resources:
      - secrets
  - verbs:
      - wait
      - get
      - list
      - watch
    apiGroups:
      - batch
    resources:
      - jobs

Business Automation Workstreams

The Business Automation Workstreams server creates the following service account:

<cr-name>-<workflow instance name>-baw-server-sa

This service account binds to a role that has the following rules:

- rules:
  - verbs:
      - update
      - get
      - create
      - delete
      - patch
    apiGroups:
      - ''
    resources:
      - secrets
  - verbs:
      - wait
      - get
      - list
      - watch
    apiGroups:
      - batch
    resources:
      - jobs

FileNet Content Manager

This pattern uses the following service account:

ibm-cpe-watcher and <cr-name>-fncm-service-account

Service account ibm-cpe-watcher binds to the ibm-cpe-watcher role, which has the following rules:

- rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - patch
  - update
  - delete
- apiGroups:
  - zen.cpd.ibm.com
  resources:
  - zenservices
  - zenextensions
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - icp4a.ibm.com
  resources:
  - '*'
  verbs:
  - get
  - list

Service account <cr-name>-fncm-service-account binds to <cr-name>-fncm-role, which has the following rules:

rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - update
  - create
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
  - list
  - create
  - update
  - patch
  - delete

Operational Decision Manager

Operational Decision Manager (ODM) is using a single service account. The name is based on the name of the custom resource (cr):

<cr-name>-ibm-odm-prod-service-account

No role is created for ODM. No Kubernetes access is needed.

Process Federation Server

The Process Federation Server service account is named: 

bs-pd-fvt-2301-pfs-service-account

No role binds to this service account.

Workflow Process Service

Each Workflow Process Service instance creates only one service account for pod use. The name is based on the name of the custom resource (cr):

<cr-name>-sa

No role is created for the Workflow Process Service instance. No Kubernetes access is needed.

Business Automation Navigator

Business Automation Navigator uses the following service account:

ibm-ban-watcher and <cr-name>-fncm-service-account

Service account ibm-ban-watcher binds to the ibm-ban-watcher role, which has the following rules:

- rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - patch
  - update
  - delete
- apiGroups:
  - zen.cpd.ibm.com
  resources:
  - zenservices
  - zenextensions
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - icp4a.ibm.com
  resources:
  - '*'
  verbs:
  - get
  - list

Service account <cr-name>-fncm-service-account binds to <cr-name>-fncm-role, which already documented in FileNet Content Manager section.

Business Automation Studio

Business Automation Studio creates two service accounts for pods to use, based on the name of the custom resource (cr): 

<cr-name>-bastudio-sa
<cr-name>-bastudio-int

The int service account is used only by the lightweight third-party authentication (LTPA) job. It binds the -bastudio-int role to run the following operations on secrets:

resources:
  - secrets
  verbs:
  - get
  - create
  - update
  - delete
  - patch

The <cr-name>-bastudio-int role is used by the Business Automation Studio pod. It is not bound to any role or cluster role and does not require additional access.

Business Automation Insights

Business insights Engine uses the service account <cr-name>-insights-engine-sa and the binding to role <cr-name>-insights-engine-role. It has the following permissions:

rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - batch
  resources:
  - jobs
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - update
  - create
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - watch
  - list
  - create
  - update
  - patch
  - delete

Machine Learning

The Machine Learning server creates the following service account:

ibm-mls-default-sa

This service account binds to a role that has the following rules:

- rules:
  - verbs:
      - update
      - get
      - create
      - delete
      - patch
    apiGroups:
      - ''
    resources:
      - secrets