Before you begin
Review the guidance in Supported project (namespace) configurations to understand the relationship
between the projects (namespaces) and the security considerations that you need to take into
account.
Best practice: You can run the commands in
this task exactly as written if you set up environment variables. For instructions, see
Setting up installation environment variables.
Ensure that you source the environment variables
before you run the commands in this task.
Procedure
To create the necessary projects for your environment:
-
Log in to your Red Hat
OpenShift Container Platform as a
cluster administrator:
- Create the appropriate projects for your environment.
Express installations
ibm-common-services
|
You can skip this step if IBM
Cloud Pak foundational services is already installed on the
cluster.
ibm-common-services is the default and recommended name. If you
sourced the installation environment
variables, the value from the PROJECT_CPFS_OPS variable
is used.
If you choose to use a different project for the IBM
Cloud Pak foundational services operators, you must create
configmap . For details, see Installing IBM
Cloud Pak foundational services in a custom
namespace.
oc new-project ${PROJECT_CPFS_OPS}
|
cpd-instance |
Source the installation environment
variables to ensure that the correct value for the PROJECT_CPD_INSTANCE variable is used.
oc new-project ${PROJECT_CPD_INSTANCE}
Remember: If you plan to install multiple instances of Cloud Pak for Data on the cluster, you must create a project for
each instance.
|
cpd-instance-tether
|
You can skip this step if you don't plan to deploy any service instances or workloads in a
tethered project.
Source the installation environment
variables to ensure that the correct value for the PROJECT_TETHERED variable is used.
oc new-project ${PROJECT_TETHERED}
Important:
Many services support only one service instance in a given project. So if you want to create
multiple instances of a service, you must deploy each instance of the service in a different
project. You can achieve this by creating multiple tethered projects and creating one instance of
the service in each tethered project.
You can co-locate service instances and workloads for different services in the same tethered
project, or you can create different tethered projects if one service or workload requires more
privileges. You can use different tethered projects to give each service instance or workload the
privileges it needs to align with the Principle of Least Privileges.
|
Specialized installations
Project to create |
Command |
ibm-common-services
|
You can skip this step if IBM
Cloud Pak foundational services is already installed on the
cluster.
ibm-common-services is the default and recommended name. If you
sourced the installation environment
variables, the value from the PROJECT_CPFS_OPS variable
is used.
If you choose to use a different project for the IBM
Cloud Pak foundational services operators, you must create
configmap . For details, see Installing IBM
Cloud Pak foundational services in a custom
namespace.
oc new-project ${PROJECT_CPFS_OPS}
|
cpd-operators |
cpd-operators is the recommended name. If you sourced the installation environment variables,
the value from the PROJECT_CPD_OPS variable is used.
oc new-project ${PROJECT_CPD_OPS}
|
cpd-instance |
Source the installation environment
variables to ensure that the correct value for the PROJECT_CPD_INSTANCE variable is used.
oc new-project ${PROJECT_CPD_INSTANCE}
Remember: If you plan to install multiple instances of Cloud Pak for Data on the cluster, you must create a project for
each instance.
|
cpd-instance-tether
|
You can skip this step if you don't plan to deploy any service instances or workloads in a
tethered project.
Source the installation environment
variables to ensure that the correct value for the PROJECT_TETHERED variable is used.
oc new-project ${PROJECT_TETHERED}
Important:
Many services support only one service instance in a given project. So if you want to create
multiple instances of a service, you must deploy each instance of the service in a different
project. You can achieve this by creating multiple tethered projects and creating one instance of
the service in each tethered project.
You can co-locate service instances and workloads for different services in the same tethered
project, or you can create different tethered projects if one service or workload requires more
privileges. You can use different tethered projects to give each service instance or workload the
privileges it needs to align with the Principle of Least Privileges.
|
- If you created a tethered project, you must tether
${PROJECT_TETHERED}
to the project where the Cloud Pak for Data control
plane is installed (${PROJECT_CPD_INSTANCE}
):
- Run the
cpd-cli
manage
login-to-ocp
command to log in to the cluster as a user with
sufficient permissions to complete this task. For example:
cpd-cli manage login-to-ocp \
--username=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
Tip: The login-to-ocp
command takes the same
input as the oc login
command. Run oc login --help
for
details.
- Tether the
${PROJECT_TETHERED}
to the project
where the Cloud Pak for Data control
plane is
installed:
cpd-cli manage setup-tethered-ns \
--cpd_instance_ns=${PROJECT_CPD_INSTANCE} \
--tethered_instance_ns=${PROJECT_TETHERED}
If you created multiple tethered projects, export the ${PROJECT_TETHERED}
environment variable with the correct project name and
repeat this step to tether each project to the ${PROJECT_CPD_INSTANCE}
project.
After you tether a project to the project where the
Cloud Pak for Data control
plane is installed, you can deploy service
instances to the tethered project or run workloads in the tethered project. For information about
which services support this, see
Multitenancy support.
What to do next
Now that you've set up the required projects, you are ready to complete Creating custom security context constraints for services.