4.2.7 Limiting visibility of namespaces in License Service

License Service can be configured to monitor only selected namespaces. However, limiting visibility of namespaces in License Service must be justified and approved by IBM® Compliance.

4.2.7 This feature is available from License Service version 4.2.7.

By default, License Service is allowed to detect IBM® products in all namespaces in the cluster.

If you have a valid business need to limit the access rights of License Service to only a subset of namespaces, you need to get an approval from IBM Compliance.

Limiting the visibility of namespaces that License Service can scan is also referred to as namespace scoping.

If you enable namespace scoping, you take responsibility for managing the scope of License Service when you plan to deploy IBM software in additional namespaces. Otherwise, you are at risk of being incompliant.

Information about limited visibility of namespaces is available in audit snapshot that you generate with License Service. For more information, see Audit snapshot.

To enable namespace scoping, use one of the following methods:

Note: It is recommended to use only one of the available methods for namespace scoping. If you enable namespace scoping without OLM by using the Config Map, this setting takes precedence over OLM’s OperatorGroups. Because of that, License Service watches over the namespaces that are defined in the Config Map, even when they are otherwise configured with the OperatorGroups.

Enabling namespace scoping by using Operator Lifecycle Manager (OLM)

IBMLicensing operator leverages the OLM's OperatorGroup-s feature for namespace scoping. OperatorGroup, as an OLM feature, allows the configuration of namespace scoping on any Kubernetes infrastructure where OLM is used to manage the IBMLicensing operator.

Complete the following steps, to enable namespace scoping.

  1. Open the License Service custom resource (CR).

    • From the OpenShift console:

      1. Log in to your OpenShift console.
      2. Go to Operators > Installed Operators.
      3. From the Project drop-down list, select All Projects
      4. Select IBM Licensing.
      5. Select the IBM License Service tab. The instance of License Service custom resource is listed.
      6. From the overflow action menu, select Edit IBMLicensing.
    • From the command line:

      Run the following command:

         kubectl edit IBMLicensing instance -n ibm-licensing
      

      Note: The recommended namespace for License Service installation is ibm-licensing. The command contains this default namespace. However, you can install License Service in any other custom namespace. If you installed License Service in a custom namespace, replace ibm-licensing with the name of the custom namespace.

  2. Add the spec.features.nssEnabled parameter under the spec section and set it to true.

  3. Save the CR to apply the changes.

By default, the OperatorGroup CR is created with a list of namespaces that are recommended by ibm-licensing. However, the cluster administrator can expand the list of watched namespaces by modifying the created OperatorGroup.

The following is an example of an OperatorGroup that configures License Service that is deployed in the ibm-licensing namespace to have visibility into the following namespaces: ibm-licensing,ns1 and cpak-tenant-ns.

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: ibm-licensing
  namespace: ibm-licensing
spec:
  targetNamespaces:
  - ibm-licensing
  - ns1
  - cpak-tenant-ns

Enabling namespace scoping without Operator Lifecycle Manager (OLM)

To enable namespace scoping without OLM, complete the following steps:

  1. Open the License Service custom resource (CR).

    • From the OpenShift console:

      1. Log in to your OpenShift console.
      2. Go to Operators > Installed Operators.
      3. From the Project drop-down list, select All Projects
      4. Select IBM Licensing.
      5. Select the IBM License Service tab. The instance of License Service custom resource is listed.
      6. From the overflow action menu, select Edit IBMLicensing.
    • From the command line:

      Run the following command:

         kubectl edit IBMLicensing instance -n ibm-licensing
      

      Note: The recommended namespace for License Service installation is ibm-licensing. The command contains this default namespace. However, you can install License Service in any other custom namespace. If you install License Service in a custom namespace, replace ibm-licensing with the name of the custom namespace.

  2. Add the following parameters under the spec section:

    features:
      nssEnabled: true
      nssConfigMap: <CONFIG_MAP_NAME>
    

    where is the name of the Config Map that contains the list of namespaces that you need to monitor with License Service. Names of namespaces should be separated with a comma and listed as a string under data.namespaces key.

    The following is an example of the Config Map that configures License Service that is deployed in the ibm-licensing namespace to have visibility into the following namespaces: ibm-license-service-scanner, cloudpaks, ibm-products, ibm-ace-testing.

    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: ibm-licensing-custom-namespaces
      namespace: ibm-licensing
    data:
      namespaces: 'ibm-license-service-scanner,cloudpaks,ibm-products,ibm-ace-testing'
    

    Note: The example assumes that you installed License Service in the recommended ibm-licensing namespace. If you installed License Service in a custom namespace, change the value of metadata.namespace parameter to this custom namespace.

  3. Configure a proper role for each namespace that you defined in the Config Map to allow License Service to scan these namespaces.

    The following is an example of a role that is created for the ibm-products namespace that you already defined in the Config Map:

     apiVersion: rbac.authorization.k8s.io/v1
     kind: Role
     metadata:
       name: ibm-ls-restricted-ibm-products-r
       namespace: ibm-products
     rules:
     - apiGroups:
       - ""
       resources:
       - configmaps
       verbs:
       - create
       - get
       - list
       - update
     - apiGroups:
       - ""
       resources:
       - pods
       verbs:
       - get
       - list
     - apiGroups:
       - "apps"
       resources:
       - deployments
       verbs:
       - get
       - list
    
  4. Configure a proper role binding for each namespace that you defined in the Config Map to map the role that you created in step 3 with the ibm-license-service-restricted Service Account.

    The following is an example of a role binding that is created for the previously created role for the ibm-products namespace that maps this role with the ibm-license-service-restricted Service Account:

     kind: RoleBinding
     apiVersion: rbac.authorization.k8s.io/v1
     metadata:
       name: ibm-ls-restricted-ibm-products-rb
       namespace: ibm-products
     subjects:
       - kind: ServiceAccount
         name: ibm-license-service-restricted
         namespace: ibm-licensing
     roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: Role
       name: ibm-ls-restricted-ibm-products-r
    

    Note: The example assumes that you installed License Service in the recommended ibm-licensing namespace. If you installed License Service in a custom namespace, change the name of the namespaces that is defined for the Service Account from ibm-licensing to your custom namespace.