Cluster-scoped permissions required by the IBM Cloud Pak for Integration operator
The IBM Cloud Pak® for Integration operator requires various cluster-scoped permissions. OpenShift assigns these permissions to a service account user (cluster user).
Tip: To view all the columns in the table, you may need to minimize the table of contents or scroll to the end.
| API group | Resources | Verbs | Permission | Usage |
|---|---|---|---|---|
| config.openshift.io | consoles | get, list, watch | List specific Consoles | Allows the IBM Cloud Pak for Integration operator to identify the URL that is derived from the host for the route that is created for the OpenShift web console |
| config.openshift.io | clusterversions | get, list, watch | List specific ClusterVersions | Allows the IBM Cloud Pak for Integration operator to identify the OCP version that the cluster is reconciling towards |
| admissionregistration.k8s.io | validatingwebhookconfigurations | create, delete, get, update | Manage ValidatingWebhookConfigurations | The IBM Cloud Pak for Integration operator uses validation webhooks to provide immediate validation and feedback about the creation and modification of IBM Cloud Pak Platform UI instances. The permission to manage webhooks is required for the operator to register these actions. |
| console.openshift.io | consoleyamlsamples, consolequickstarts, consolelinks | create, delete, get, update | Manage ConsoleYAMLSamples | ConsoleYAMLSamples are used to provide samples for the Cloud Pak for Integration resources in the OpenShift web console. The permission to manage ConsoleYAMLSamples is required for the operator to register the setting up of samples. |
| apiextensions.k8s.io | customerresourcedefinitions | get, list | List specific CustomResourceDefinitions | Required to allow the IBM Cloud Pak for Integration operator to give permissions to the Platform UI, in order to identify whether other optional dependencies have been installed into the cluster. |
| rbac.authorization.k8s.io | clusterroles, clusterrolebindings | create, delete, get, list, update, watch | Manage ClusterRoles and ClusterRoleBindings | The IBM Cloud Pak for Integration operator gives the Platform UI permissions to list CustomResourceDefinitions, which are cluster-scoped objects. These permissions must be created and managed as ClusterRoles. The permission to manage ClusterRoleBindings allows the operator to identify the appropriate ClusterRole created. |
| integration.ibm.com | platformnavigators, operationsdashboards, assetrepositories, integrationassemblies, messagingservers, messagingqueues, messagingchannels, messagingusers | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| mq.ibm.com | queuemanagers | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| appconnect.ibm.com | dashboards, designerauthorings, integrationruntimes, integrationservers | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| apiconnect.ibm.com | apiconnectclusters, apis, products | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| management.apiconnect.ibm.com | managementclusters | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| eventendpointmanager.apiconnect.ibm.com | eventendpointmanagers | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| hsts.aspera.ibm.com | ibmasperahstss | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| eventstreams.ibm.com | eventstreams, kafkatopics, kafkausers | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| datapower.ibm.com | datapowerservices | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| events.ibm.com | eventendpointmanagements, eventgateways | get, list | List instances | Required for managing versions and upgrades using the Platform UI |
| operators.coreos.com | clusterserviceversions, subscriptions, catalogsources, operators | get, list | Manage ClusterServiceVersions, Subscriptions, CatalogSources and Operators | Required for managing versions and upgrades using the Platform UI |
| packages.operators.coreos.com | packagemanifests list | list | List PackageManifests | Required for managing versions and upgrades using the Platform UI |
| "" | configmaps | create, delete, get, list, update, watch | Manage ConfigMaps | Required for managing versions and upgrades using the Platform UI. |
| route.openshift.io | routes/custom-host | create, list, watch, delete, get, update | Manage Routes | Required for editing the Platform UI route to use a custom hostname |
| "" | storageclasses | get, list | Read Storage Classes | Allows the IBM Cloud Pak for Integration operator to detect whether a default storage class has been set |
| "" | validatingadmissionpolicies, validatingadmissionpolicybindings | create, update, watch, delete, list, get, patch | Manage ValidatingAdmissionPolicies and ValidatingAdmissionPolicyBindings | Required for the Platform UI to manage these resources |
An empty value ("") in the API group column indicates that the permission is a core resource.