manage show-minimum-rbac

Show the minimum role-based access control (RBAC) for the components that you plan to install.

Extended description

If you don't want to give an instance administrator the default admin role on the projects that are associated with an instance of Cloud Pak for Data, you can use the show-minimum-rbac command to show the minimum role-based access control (RBAC) for the components that you plan to install.

The show-minimum-rbac command provides an alternative method for authorizing an user to act as an instance administrator. However, this method is recommended only if you are not willing to grant the roles described in Authorizing a user to act as an IBM Cloud Pak for Data instance administrator.

Important: The show-minimum-rbac method requires substantial planning and maintenance:
  • You must run this command based on the services that you plan to install in an instance. For example:
    • Instance 1 will include IBM® Knowledge Catalog, Data Privacy, AI Factsheets, Watson™ Studio, and SPSS® Modeler
    • Instance 2 will include IBM Knowledge Catalog, Data Privacy, Watson Studio, RStudio® Server Runtimes

    In this scenario, the minimum RBAC requirements for each instance are different because the services that you plan to install in the instances are different.

  • You must run this command based on the version of Cloud Pak for Data that you are installing. A service might introduce a new resource at any time, so you must run the command based on the version that you want to install to ensure that the instance administrator has sufficient permissions on the instance.
  • When you want to upgrade an instance, you must re-run the command based on the version that you want to upgrade to.
Restriction: Not all services provide their minimum RBAC requirements. If a service that you plan to install does not provide this information, you must work with IBM Software Support to obtain this information.

This command generates the following YAML files:

${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml
This YAML file defines the minimum privileges that an instance administrator must have to create, modify, and view the Kubernetes and Red Hat® OpenShift® Container Platform resources that are associated with an instance of Cloud Pak for Data.

You can use this file to create the ${ROLE_NAME}-cpd-instance_admin role.

${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml
This YAML file defines the minimum privileges that am instance administrator must have to install, modify, and view the custom resources that are associated with an instance of Cloud Pak for Data.

The list of custom resources in the YAML file depends on the components that you plan to install in the instance.

You can use this file to create the ${ROLE_NAME}-cpd-instance-crs role.

nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml
This YAML file defines the minimum privileges that the NamespaceScope operator must have to manage the projects associated with an instance of Cloud Pak for Data.

The role does not contain any wildcard characters.

The role must be applied to all projects that are associated with the instance.

The list of resources depends on the components that you plan to install in the instance.

You can use this file to create the nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role.

The YAML files are saved to the work directory.

For more information on using these commands to create roles in the appropriate projects, see:

Syntax

cpd-cli manage show-minimum-rbac \
--components=<comma-separated-list-of-component-names> \
--release=<version> \
[--role_name=<role-name>] \
[--cpd_operator_ns=<project-name>]

Arguments

The show-minimum-rbac command has no arguments.

Options

Option Description
--components A comma-separated list of the components that you want to install or upgrade.
Status
Required.
Syntax
--components=<comma-separated-list-of-component-names>
Default value
There is no default value. The list depends on which components you want to install or upgrade.
Valid values
For the list of components, see Component IDs.

You can specify individual components or a comma-separated list of components.
--cpd_operator_ns The project where you want to install the operators for this instance of Cloud Pak for Data.
Status
Optional.

Use this option if you need to generate the role for the NamespaceScope operator.

Syntax
--cpd_operator_ns=<project-name>
Default value
There is no default value.
Valid values
The project where you want to install the operators for this instance of Cloud Pak for Data.
--release The release that you want to install or upgrade to.
Status
Required.
Syntax
--release=<version>
Default value
No default. You must specify the release.
Valid values
  • 4.8.0
  • 4.8.1
  • 4.8.2
  • 4.8.3
  • 4.8.4
  • 4.8.5
--role_name The unique name to use to identify the role.

The value is used as a prefix for the YAML files and for the roles defined in the YAML files.

Status
Optional.

Use this option if you need to generate roles for different components or roles for different instances of Cloud Pak for Data.

Syntax
--role_name=<role-name>
Default value
minimum-privileges
Valid values
A unique identifier for the role.
The name must meet the following requirements:
  • Start with an alphanumeric character
  • Contain only alphanumeric characters and dashes (-)
  • Be a maximum of 20 characters

Examples

Note: The following example uses the recommended installation environment variables.

It is strongly recommended that you use a script to create environment variables with the correct values for your environment. For details, see Best practice: Setting up installation environment variables.

Create the YAML files that define the minimum role-based access control for the specified components at the specified release
cpd-cli manage show-minimum-rbac \
--components=${COMPONENTS} \
--release=${VERSION} \
--role_name=${ROLE_NAME}