Authorizing a user to act as an IBM Cloud Pak for Data instance administrator (Upgrading from Version 4.5 to Version 4.7)

If a user other than the cluster administrator will upgrade IBM Cloud Pak for Data, you must give a Red Hat® OpenShift® Container Platform user the required role to upgrade the Cloud Pak for Data software in the instance projects.

Upgrade phase
You are not here. Updating your client workstation
You are not here. Updating your cluster
You are not here. Collecting required information
You are not here. Preparing to run an upgrade from a private container registry
You are not here. Migrating to the private topology
You are here icon. Preparing to upgrade an instance of Cloud Pak for Data
You are not here. Upgrading an instance of Cloud Pak for Data
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?

This task is required in some situations.

  • Skip this task if the cluster administrator will upgrade the Cloud Pak for Data software.
  • Complete this task only if a user other than the cluster administrator will upgrade the Cloud Pak for Data software.

    Repeat as needed If you have multiple instances of Cloud Pak for Data on the cluster, repeat this task for each instance that you plan to upgrade to Version 4.7.

Before you begin

Best practice: You can run the commands in this task exactly as written using the installation environment variables. Ensure that you added the new environment variables from Updating your environment variables script.

In addition, ensure that you source the environment variables before you run the commands in this task.

About this task

You must assign the following roles in the specified projects to any users who will install software for this instance of Cloud Pak for Data:

Role Projects Details
admin
  • Operators project
  • Operands project
  • Any tethered projects
The Red Hat OpenShift Container Platform admin role enables a user to view and modify any resource in the project except for the project quota.
cpd-instance-admin-apply-olm
  • Operators project
The cpd-instance-admin-apply-olm role enables a user to create and modify OLM artifacts in the operators project for the instance.
Tip: If you are not willing to give a user the admin permission on the projects associated with the instance, you can give the user the minimum role-based access control to create the required resources based on the components that you plan to install. However, this method requires additional planning and maintenance and is not recommended for typical installations. Giving a user the minimum RBAC to install Cloud Pak for Data components

Procedure

To apply the required permissions to the projects:

  1. Log in to Red Hat OpenShift Container Platform as a user with sufficient permissions to complete the task.
    oc login ${OCP_URL}
  2. Set the INSTANCE_ADMIN environment variable to the username of the Red Hat OpenShift Container Platform user that you want to give instance administration privileges to.
    export INSTANCE_ADMIN=<user>
  3. Assign the user the admin role in all of the projects associated with the instance.
    Tip: The following steps use the oc adm policy add-role-to-user <role-name> <user-name> command. Alternatively, you can use the oc adm policy add-role-to-group <role-name> <group-name> command to authorize a group of Red Hat OpenShift Container Platform users.
    1. Assign the user the role in the operators project for the instance:
      oc adm policy add-role-to-user admin ${INSTANCE_ADMIN} \
      --namespace=${PROJECT_CPD_INST_OPERATORS} \
      --rolebinding-name="cpd-instance-admin-rbac"
    2. Assign the user the role in the operands project for the instance:
      oc adm policy add-role-to-user admin ${INSTANCE_ADMIN} \
      --namespace=${PROJECT_CPD_INST_OPERANDS} \
      --rolebinding-name="cpd-instance-admin-rbac"
    3. Assign the user the role in any tethered projects for the instance:
      oc adm policy add-role-to-user admin ${INSTANCE_ADMIN} \
      --namespace=${PROJECT_CPD_INSTANCE_TETHERED} \
      --rolebinding-name="cpd-instance-admin-rbac"

      Repeat this step for each tethered project that is associated with this instance of Cloud Pak for Data.

      Tip: If you set the PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print the list of tethered projects to the terminal:
      echo $PROJECT_CPD_INSTANCE_TETHERED_LIST

      Use this information to set the PROJECT_CPD_INSTANCE_TETHERED environment variable before you re-run the command.

  4. Assign the user the cpd-instance-admin-apply-olm role on the operators project for the instance:
    1. Create the cpd-instance-admin-apply-olm role in the operators project for the instance:
      oc apply -f - << EOF
      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
        name: cpd-instance-admin-apply-olm
        namespace: ${PROJECT_CPD_INST_OPERATORS}
      rules:
      - apiGroups:
        - operators.coreos.com
        resources:
        - operatorgroups
        verbs:
        - create
        - get
        - list
        - patch
        - update
      - apiGroups:
        - operators.coreos.com
        resources:
        - catalogsources
        verbs:
        - create
        - get
        - list
      EOF
    2. Assign the user the role in the operators project for the instance:
      Tip: The following step uses the oc adm policy add-role-to-user <role-name> <user-name> command. Alternatively, you can use the oc adm policy add-role-to-group <role-name> <group-name> command to authorize a group of Red Hat OpenShift Container Platform users.
      oc adm policy add-role-to-user cpd-instance-admin-apply-olm ${INSTANCE_ADMIN} \
      --namespace=${PROJECT_CPD_INST_OPERATORS} \
      --role-namespace=${PROJECT_CPD_INST_OPERATORS} \
      --rolebinding-name="cpd-instance-admin-apply-olm-rbac"
  5. Assign the user the cpd-instance-admin-read-catsrc role on the openshift-marketplace project:
    1. Create the cpd-instance-admin-read-catsrc command in the openshift-marketplace project.

      Skip this step if you already created the cpd-instance-admin-read-catsrc role in the openshift-marketplace project. For example, you are authorizing a second instance administrator or you are authorizing an instance administrator on a second instance of Cloud Pak for Data.

      oc apply -f - << EOF
      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
        name: cpd-instance-admin-read-catsrc
        namespace: openshift-marketplace
      rules:
      - apiGroups:
        - operators.coreos.com
        resources:
        - catalogsources
        verbs:
        - get
        - list
      EOF
    2. Assign the user the role in the operators project for the instance:
      oc adm policy add-role-to-user cpd-instance-admin-read-catsrc ${INSTANCE_ADMIN} \
      --namespace=openshift-marketplace \
      --role-namespace=openshift-marketplace \
      --rolebinding-name="cpd-instance-admin-read-catsrc-rbac"

What to do next

Now that you've authorized a user to act as an IBM Cloud Pak for Data instance administrator, you're ready to complete Creating secrets for services that use Multicloud Object Gateway (Upgrading from Version 4.5 to Version 4.7).