IBM Cloud Pak for Data operators

The IBM Cloud Pak for Data control plane and services are installed using operators, which simplify the process of upgrading, scaling, and rolling back software on Red Hat® OpenShift® Container Platform.

Overview of operators

An operator is a custom Kubernetes controller. A controller implements a control loop that continually watches the state of specific objects on your cluster and makes adjustments as needed to keep the objects running in the desired state.

Tip: The Red Hat OpenShift: Operators Framework video from Red Hat provides a high-level explanation of operators. (This video is also available on YouTube: https://www.youtube.com/watch?v=LymzLHRbQdk.)

Each component of Cloud Pak for Data includes an operator that is responsible for managing that component. For example, there is an operator for the control plane and an operator for each service.

Each component also has its own custom resource definition (CRD) that describes the service. The CRD is a resource that is identified by the kind attribute. When you create a custom resource (CR) to install a component, you must specify the kind of resource that you are creating. For example, the Watson™ Knowledge Catalog service defines the WKC resource. When you create a CR with kind: WKC, you install the Watson Knowledge Catalog service. After you install service, the Watson Knowledge Catalog operator monitors and manages the WKC resources on the cluster.

The resources that an operator manages are also called operands.

Some operators reference another operator or interact with the operands that are managed by another operator. For example, the Watson Knowledge Catalog service has a dependency on components such as:
  • Common core services
  • Db2U

The Watson Knowledge Catalog instantiates custom resources for these components, which are then managed by the Common core services operator and the Db2U operator respectively.

Operator Lifecycle Manager

Cloud Pak for Data software leverages Operator Lifecycle Manager (OLM) to install, update, and manage operators. OLM defines the several custom resource definitions (CRDs), including but not limited to:
  • Catalog sources
  • Subscriptions
  • Install plans
  • Cluster service versions
  • Operator groups
The cpd-cli manage apply-olm command abstracts the complexity of creating and maintaining operators. Most users don't need to be familiar with OLM concepts to successfully install and manage Cloud Pak for Data because the cpd-cli manage apply-olm command creates and updates the operators for you.
Tip: The cpd-cli manage apply-olm command includes --preview option that you can use if you want to understand the oc commands that the cpd-cli manage apply-olm command will run on your behalf.

Catalog source

Resource name
CatalogSource or catsrc
Description
A catalog source is a way to introduce new software or new versions of software to the cluster. A catalog source is a repository of operator versions (as specified by a cluster service version), custom resource definitions (CRDs), and packages that comprise an application. The information provided by the catalog source enables OLM to discover and install operators and their dependencies.
The Cloud Pak for Data perspective
The cpd-cli manage apply-olm command automatically creates the appropriate catalog source for each specified component.

The catalog sources are tied to the release of Cloud Pak for Data that you install. For example, there are specific catalogs for the 4.6.0 release.

Subscription

Resource name
Subscription or sub
Description
An operator subscription provides the following information to OLM:
  • The name of the operator
  • The location to install the operator
  • The channel to subscribe to
  • The install plan approval mechanism to use
  • The catalog source to use
The Cloud Pak for Data perspective
The cpd-cli manage apply-olm command automatically creates the subscriptions for any operators that are required by the specified components.

Install plan

Resource name
InstallPlan or ip
Description
When an operator subscription is created, OLM creates an install plan that describes the set of resources, such as the cluster service version and the operator deployment, that must be created to install or upgrade the operator.

When you create an operator, you specify approval strategy for the install plan:

Automatic
When a subscription includes installPlanApproval: Automatic and a newer CSV is detected, OLM automatically approves the install plan and installs or upgrades the operator.
Manual
When a subscription includes installPlanApproval: Manual and a newer CSV is detected, OLM creates a request for an administrator to approve the install plan. After an administrator approves the request, OLM installs or upgrades the operator.
The Cloud Pak for Data perspective
To simplify the installation experience, all Cloud Pak for Data operators are created with installPlanApproval: Automatic. This ensures that the cpd-cli manage apply-olm can create or update all of the required operators.

Cluster service version (CSV)

Resource name
ClusterServiceVersion or csv
Description
A cluster service version (CSV) represents a specific version of an operator. The information provided by the CSV enables OLM to:
  • Understand the custom resources that the operator manages or depends on
  • Introduce the custom resource definition (CRD), if it doesn't exist
  • Set up the operator's service accounts
  • Start up the operator deployment
  • Keep the operator running safely on the cluster
  • Understand how updates should be applied when new versions of the operator are available on the cluster
The Cloud Pak for Data perspective
The cpd-cli manage apply-olm automatically creates the appropriate CSVs for the specified components.

Operator group

Resource name
OperatorGroup or og
Description
An operator group enables OLM to provide limited support for simultaneously installing different variations of an operator on a cluster. When OLM detects a newer CSV, it uses the operator group to determine where to create role bindings that grant the operator specific permissions.
The Cloud Pak for Data perspective
Cloud Pak for Data operators are installed once per cluster using InstallModeType: ownNamespace .

The operator group that the operators are included in depends on whether you choose an express installation or a specialized installation. For details, see Location of the operators.

The cpd-cli manage apply-olm automatically creates the required operator groups in the appropriate projects.

The cpd-cli manage apply-olm also updates or creates the required NamespaceScope object, which enables the operators project (namespace) to watch the project where you install the Cloud Pak for Data platform and services.

Location of the operators

The location of the Cloud Pak for Data operators depends on the type of installation that you choose.

Important: If IBM Cloud Pak foundational services is already installed on your cluster, identify the project where the operators are installed.
Installation type Operator location Security considerations
Express The Cloud Pak for Data operators are co-located with the IBM Cloud Pak foundational services operators in the ibm-common-services project. An express installation does not enforce strict distinction between Red Hat OpenShift projects (namespaces) that are managed by operators.

Both the IBM Cloud Pak foundational services operators and the IBM Cloud Pak for Data operators watch any projects where IBM® Cloud Paks are installed.

This means that all of the operators are granted RBAC to all of the projects where IBM Cloud Paks are installed even though it is unnecessary for the IBM Cloud Pak for Data operators to be granted permissions on projects where IBM Cloud Pak for Data is not installed.

This might not be important if you don't plan to install other IBM Cloud Paks.

Specialized The IBM Cloud Pak foundational services operators are installed in one project, typically in the ibm-common-services project.

The Cloud Pak for Data operators are installed in their own project, such as cpd-operators.

A specialized installation also facilitates strict division between Red Hat OpenShift projects (namespaces):
  • The IBM Cloud Pak foundational services operators watch any projects where IBM Cloud Paks are installed.

    This means that the IBM Cloud Pak foundational services operators are granted RBAC to all of the projects where IBM Cloud Paks are installed.

  • The Cloud Pak for Data operators watch only the projects where Cloud Pak for Data is installed

    This means that the Cloud Pak for Data operators are granted RBAC to only the projects where Cloud Pak for Data is installed, which limits the permissions scope of the Cloud Pak for Data operators.