Limiting visibility of namespaces in License Service
License Service can be configured to monitor only selected namespaces. However, limiting visibility of namespaces in License Service must be justified and approved by IBM® Compliance.
This feature is available from License Service version 4.2.7.
By default, License Service is allowed to detect IBM® products in all namespaces in the cluster.
If you have a valid business need to limit the access rights of License Service to only a subset of namespaces, you need to get an approval from IBM Compliance.
Limiting the visibility of namespaces that License Service can scan is also referred to as namespace scoping.
If you enable namespace scoping, you take responsibility for managing the scope of License Service when you plan to deploy IBM software in additional namespaces. Otherwise, you are at risk of being incompliant.
Information about limited visibility of namespaces is available in audit snapshot that you generate with License Service. For more information, see Audit snapshot.
To enable namespace scoping, use one of the following methods:
- Enabling namespace scoping by using Operator Lifecycle Manager (OLM)
- Enabling namespace scoping without Operator Lifecycle Manager (OLM)
Note: It is recommended to use only one of the available methods for namespace scoping. If you enable namespace scoping without OLM by using the Config Map, this setting takes precedence over OLM’s OperatorGroups. Because of that, License Service watches over the namespaces that are defined in the Config Map, even when they are otherwise configured with the OperatorGroups.
Enabling namespace scoping by using Operator Lifecycle Manager (OLM)
IBMLicensing
operator leverages the OLM's OperatorGroup-s
feature for namespace scoping. OperatorGroup
, as an OLM feature, allows the configuration of namespace scoping on any Kubernetes infrastructure
where OLM is used to manage the IBMLicensing
operator.
Complete the following steps, to enable namespace scoping.
-
Open the License Service custom resource (CR).
-
From the OpenShift console:
- Log in to your OpenShift console.
- Go to Operators > Installed Operators.
- From the Project drop-down list, select All Projects
- Select IBM Licensing.
- Select the IBM License Service tab. The instance of License Service custom resource is listed.
- From the overflow action menu, select Edit IBMLicensing.
-
From the command line:
Run the following command:
kubectl edit IBMLicensing instance -n ibm-licensing
Note: The recommended namespace for License Service installation is
ibm-licensing
. The command contains this default namespace. However, you can install License Service in any other custom namespace. If you installed License Service in a custom namespace, replaceibm-licensing
with the name of the custom namespace.
-
-
Add the
spec.features.nssEnabled
parameter under thespec
section and set it totrue
. -
Save the CR to apply the changes.
By default, the OperatorGroup
CR is created with a list of namespaces that are recommended by ibm-licensing
. However, the cluster administrator can expand the list of watched namespaces by modifying the created OperatorGroup
.
The following is an example of an OperatorGroup
that configures License Service that is deployed in the ibm-licensing
namespace to have visibility into the following namespaces: ibm-licensing
,ns1
and cpak-tenant-ns
.
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: ibm-licensing
namespace: ibm-licensing
spec:
targetNamespaces:
- ibm-licensing
- ns1
- cpak-tenant-ns
Enabling namespace scoping without Operator Lifecycle Manager (OLM)
To enable namespace scoping without OLM, complete the following steps:
-
Open the License Service custom resource (CR).
-
From the OpenShift console:
- Log in to your OpenShift console.
- Go to Operators > Installed Operators.
- From the Project drop-down list, select All Projects
- Select IBM Licensing.
- Select the IBM License Service tab. The instance of License Service custom resource is listed.
- From the overflow action menu, select Edit IBMLicensing.
-
From the command line:
Run the following command:
kubectl edit IBMLicensing instance -n ibm-licensing
Note: The recommended namespace for License Service installation is
ibm-licensing
. The command contains this default namespace. However, you can install License Service in any other custom namespace. If you install License Service in a custom namespace, replaceibm-licensing
with the name of the custom namespace.
-
-
Add the following parameters under the
spec
section:features: nssEnabled: true nssConfigMap: <CONFIG_MAP_NAME>
where
is the name of the Config Map that contains the list of namespaces that you need to monitor with License Service. Names of namespaces should be separated with a comma and listed as a string under data.namespaces
key.The following is an example of the Config Map that configures License Service that is deployed in the
ibm-licensing
namespace to have visibility into the following namespaces:ibm-license-service-scanner
,cloudpaks
,ibm-products
,ibm-ace-testing
.kind: ConfigMap apiVersion: v1 metadata: name: ibm-licensing-custom-namespaces namespace: ibm-licensing data: namespaces: 'ibm-license-service-scanner,cloudpaks,ibm-products,ibm-ace-testing'
Note: The example assumes that you installed License Service in the recommended
ibm-licensing
namespace. If you installed License Service in a custom namespace, change the value ofmetadata.namespace
parameter to this custom namespace. -
Configure a proper role for each namespace that you defined in the Config Map to allow License Service to scan these namespaces.
The following is an example of a role that is created for the
ibm-products
namespace that you already defined in the Config Map:apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ibm-ls-restricted-ibm-products-r namespace: ibm-products rules: - apiGroups: - "" resources: - configmaps verbs: - create - get - list - update - apiGroups: - "" resources: - pods verbs: - get - list - apiGroups: - "apps" resources: - deployments verbs: - get - list
-
Configure a proper role binding for each namespace that you defined in the Config Map to map the role that you created in step 3 with the
ibm-license-service-restricted
Service Account.The following is an example of a role binding that is created for the previously created role for the
ibm-product
s namespace that maps this role with theibm-license-service-restricted
Service Account:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ibm-ls-restricted-ibm-products-rb namespace: ibm-products subjects: - kind: ServiceAccount name: ibm-license-service-restricted namespace: ibm-licensing roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ibm-ls-restricted-ibm-products-r
Note: The example assumes that you installed License Service in the recommended
ibm-licensing
namespace. If you installed License Service in a custom namespace, change the name of the namespaces that is defined for the Service Account fromibm-licensing
to your custom namespace.