Giving a user the minimum RBAC to setup and install Cloud Pak for Data

If a user other than the cluster administrator will install Cloud Pak for Data, you must give a Red Hat® OpenShift® Container Platform user the minimum role-based access control to install the Cloud Pak for Data software in the instance projects. The cluster administrator can also give the user the minimum RBAC to set up the instance.

Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?
Complete this task only if you want to enable another user to:
  • Apply the required permissions to the projects associated with an instance of Cloud Pak for Data.
  • Install an instance of Cloud Pak for Data without giving the user the admin role on the projects associated with the instance.
Restriction: You cannot use this method to upgrade to Cloud Pak for Data Version 5.0. This method is supported only for new installations on Cloud Pak for Data Version 4.8.

If you only want to enable a user to install an instance of Cloud Pak for Data, see Giving a user the minimum RBAC to install Cloud Pak for Data components.

Before you begin

This task assumes that the projects where you want to install an instance of Cloud Pak for Data already exist. If you need to create the projects for the instance, see Manually creating projects (namespaces) for an instance of IBM Cloud Pak for Data.

Best practice: You can run many of the commands in this task exactly as written if you set up environment variables for your installation. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

Use the show-minimum-rbac command to generate the YAML files that you can use to give a user the minimum RBAC to set up the projects and install the components associated with an instance of Cloud Pak for Data.

Important: This task is recommended only for customers with extremely rigid security requirements. It is not recommended for most customers because it requires additional planning and maintenance.
You must re-run the show-minimum-rbac command and reapply the roles in the following situations:
  • Each time you plan to install a newer version of Cloud Pak for Data.
  • Any time you plan to install a new service on the instance.

Regenerating and reapplying the roles ensure that the user has sufficient permissions to manage the resources that are associated with the instance of Cloud Pak for Data.

Procedure

  1. Log the cpd-cli in to the Red Hat OpenShift Container Platform cluster: 
    ${CPDM_OC_LOGIN}
    Remember: CPDM_OC_LOGIN is an alias for the cpd-cli manage login-to-ocp command.
  2. Set the ROLE_NAME environment variable to a unique identifier for the role.
    The name must meet the following requirements:
    • Start with an alphanumeric character
    • Contain only alphanumeric characters and dashes (-)
    • Be a maximum of 20 characters
    export ROLE_NAME=<role_name>
  3. Run the cpd-cli manage show-minimum-rbac command to generate the YAML files that you can use to create the roles with the minimum RBAC for the components: 
    cpd-cli manage show-minimum-rbac \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=${COMPONENTS} \
--release=${VERSION} \
--role_name=${ROLE_NAME}
    The command generates the following YAML files in the work directory:
    • ${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml
    • ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml
    • nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml
  4. Change to the work directory.
  5. Create the roles from the YAML files:
    1. Create the ${ROLE_NAME}-cpd-instance-admin role in the operators project for the instance: 
      oc create \
-f ${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERATORS}
    2. Create the ${ROLE_NAME}-cpd-instance-crs role in the operators project for the instance: 
      oc create \
-f ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERATORS}
    3. Create the ${ROLE_NAME}-cpd-instance-admin role in the operands project for the instance: 
      oc create \
-f ${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERANDS}
    4. Create the ${ROLE_NAME}-cpd-instance-crs role in the operands project for the instance: 
      oc create \
-f ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INST_OPERANDS}
    5. Create the ${ROLE_NAME}-cpd-instance-admin role in any tethered projects for the instance: 
      oc create \
-f ${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INSTANCE_TETHERED}
      Repeat this step for each tethered project that is associated with this instance of Cloud Pak for Data.
      Tip: If you set the PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print the list of tethered projects to the terminal:
      echo $PROJECT_CPD_INSTANCE_TETHERED_LIST

      Use this information to set the PROJECT_CPD_INSTANCE_TETHERED environment variable before you re-run the command.

    6. Create the ${ROLE_NAME}-cpd-instance-crs role in any tethered projects for the instance: 
      oc create \
-f ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
--namespace=${PROJECT_CPD_INSTANCE_TETHERED}
      Repeat this step for each tethered project that is associated with this instance of Cloud Pak for Data.
      Tip: If you set the PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print the list of tethered projects to the terminal:
      echo $PROJECT_CPD_INSTANCE_TETHERED_LIST

      Use this information to set the PROJECT_CPD_INSTANCE_TETHERED environment variable before you re-run the command.

  6. Set the INSTANCE_ADMIN environment variable to the username of the Red Hat OpenShift Container Platform user that you want to give administration privileges to. 
    export INSTANCE_ADMIN=<user>
  7. Assign the user the roles in the projects for the instance:
    Tip: The following steps use the oc adm policy add-role-to-user <role-name> <user-name> command. Alternatively, you can use the oc adm policy add-role-to-group <role-name> <group-name> command to authorize a group of Red Hat OpenShift Container Platform users.
    1. Assign the user the ${ROLE_NAME}-cpd-instance-admin role in the operators project for the instance: 
      oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERATORS} \
--role-namespace=${PROJECT_CPD_INST_OPERATORS}
    2. Assign the user the ${ROLE_NAME}-cpd-instance-crs role in the operators project for the instance: 
      oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERATORS} \
--role-namespace=${PROJECT_CPD_INST_OPERATORS}
    3. Assign the user the ${ROLE_NAME}-cpd-instance-admin role in the operands project for the instance: 
      oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--role-namespace=${PROJECT_CPD_INST_OPERANDS}
    4. Assign the user the ${ROLE_NAME}-cpd-instance-crs role in the operands project for the instance: 
      oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--role-namespace=${PROJECT_CPD_INST_OPERANDS}
    5. Assign the user the ${ROLE_NAME}-cpd-instance-admin role in any tethered projects for the instance: 
      oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-admin ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INSTANCE_TETHERED} \
--role-namespace=${PROJECT_CPD_INSTANCE_TETHERED}
      Repeat this step for each tethered project that is associated with this instance of Cloud Pak for Data.
      Tip: If you set the PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print the list of tethered projects to the terminal:
      echo $PROJECT_CPD_INSTANCE_TETHERED_LIST

      Use this information to set the PROJECT_CPD_INSTANCE_TETHERED environment variable before you re-run the command.

    6. Assign the user the ${ROLE_NAME}-cpd-instance-crs role in any tethered projects for the instance: 
      oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-crs ${INSTANCE_ADMIN} \
--namespace=${PROJECT_CPD_INSTANCE_TETHERED} \
--role-namespace=${PROJECT_CPD_INSTANCE_TETHERED}
      Repeat this step for each tethered project that is associated with this instance of Cloud Pak for Data.
      Tip: If you set the PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print the list of tethered projects to the terminal:
      echo $PROJECT_CPD_INSTANCE_TETHERED_LIST

      Use this information to set the PROJECT_CPD_INSTANCE_TETHERED environment variable before you re-run the command.

Results

After you give a user the minimum RBAC to set up and install an instance of Cloud Pak for Data, the user can use the nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml file to set up the instance.

What to do next

You must share the nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml file with the user who will apply the required permissions to the projects associated with the instance. The user can use the nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml file to complete Applying the required permissions to projects (namespaces) as an instance administrator.