Before you begin
Best practice: You can run the commands
in this task exactly as written using the installation environment variables. Ensure that you added
the new environment variables from
Updating
your environment variables script.
In addition, ensure that you source the environment
variables before you run the commands in this task.
About this task
You must assign the following roles in the specified projects to any users
who will install software for this instance of Cloud Pak for Data:
Role |
Projects |
Details |
admin |
- Operators project
- Operands project
- Any tethered projects
|
The Red Hat OpenShift Container Platform
admin role enables a user to view and modify any resource in the project except for
the project quota. |
cpd-instance-admin-apply-olm |
|
The cpd-instance-admin-apply-olm role enables a user to create and modify
OLM artifacts in the operators
project for the instance. |
Tip: If you are not willing to give a user the
admin
permission on the
projects associated with the instance, you can give the user the minimum role-based access control
to create the required resources based on the components that you plan to install. However, this
method requires additional planning and maintenance and is not recommended for typical
installations.
Giving a
user the minimum RBAC to install Cloud Pak for Data
components
Procedure
To apply the required permissions to the projects:
-
Log in to Red Hat OpenShift Container Platform as a user with sufficient permissions to
complete the
task.
- Set the
INSTANCE_ADMIN
environment variable to
the username of the Red Hat OpenShift Container Platform user that
you want to give instance administration privileges to.
export INSTANCE_ADMIN=<user>
- Assign the user the
admin
role in all of the projects
associated with the instance.
Tip: The following steps use the oc adm policy add-role-to-user <role-name>
<user-name>
command. Alternatively, you can use the oc adm policy
add-role-to-group <role-name> <group-name>
command to authorize a group of Red Hat OpenShift Container Platform users.
- Assign the user the role in the operators project for the instance:
oc adm policy add-role-to-user admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERATORS} \
--rolebinding-name="cpd-instance-admin-rbac"
- Assign the user the role in the operands project for the instance:
oc adm policy add-role-to-user admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--rolebinding-name="cpd-instance-admin-rbac"
- Assign the user the role in any tethered projects for the instance:
oc adm policy add-role-to-user admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INSTANCE_TETHERED} \
--rolebinding-name="cpd-instance-admin-rbac"
Repeat this step for each tethered project that is associated with this instance of Cloud Pak for Data.
Tip: If you set the
PROJECT_CPD_INSTANCE_TETHERED_LIST
environment variable, print the list of tethered projects to the
terminal:
echo $PROJECT_CPD_INSTANCE_TETHERED_LIST
Use
this information to set the PROJECT_CPD_INSTANCE_TETHERED
environment
variable before you re-run the command.
- Assign the user the
cpd-instance-admin-apply-olm
role on the operators project for the instance:
- Create the
cpd-instance-admin-apply-olm
role in the operators project
for the instance:
oc apply -f - << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cpd-instance-admin-apply-olm
namespace: ${PROJECT_CPD_INST_OPERATORS}
rules:
- apiGroups:
- operators.coreos.com
resources:
- operatorgroups
verbs:
- create
- get
- list
- patch
- update
- apiGroups:
- operators.coreos.com
resources:
- catalogsources
verbs:
- create
- get
- list
EOF
- Assign the user the role in the operators project for the instance:
Tip: The following step uses the oc adm policy add-role-to-user <role-name>
<user-name>
command. Alternatively, you can use the oc adm policy
add-role-to-group <role-name> <group-name>
command to authorize a group of Red Hat OpenShift Container Platform users.
oc adm policy add-role-to-user cpd-instance-admin-apply-olm ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERATORS} \
--role-namespace=${PROJECT_CPD_INST_OPERATORS} \
--rolebinding-name="cpd-instance-admin-apply-olm-rbac"
- Assign the user the
cpd-instance-admin-read-catsrc
role on the
openshift-marketplace
project:
- Create the
cpd-instance-admin-read-catsrc
command in the openshift-marketplace
project.
Skip this step if you already created the cpd-instance-admin-read-catsrc
role in
the openshift-marketplace
project. For example, you are
authorizing a second instance administrator or you are authorizing an instance administrator on a
second instance of Cloud Pak for Data.
oc apply -f - << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cpd-instance-admin-read-catsrc
namespace: openshift-marketplace
rules:
- apiGroups:
- operators.coreos.com
resources:
- catalogsources
verbs:
- get
- list
EOF
- Assign the user the role in the operators project for the instance:
oc adm policy add-role-to-user cpd-instance-admin-read-catsrc ${INSTANCE_ADMIN} \
--namespace=openshift-marketplace \
--role-namespace=openshift-marketplace \
--rolebinding-name="cpd-instance-admin-read-catsrc-rbac"
What to do next
Now that you've authorized a user to act as an IBM Cloud Pak for Data instance administrator, you're ready to
complete Creating secrets for services that use Multicloud Object Gateway (Upgrading from Version 4.5 to Version 4.7).