IBM Cloud Pak foundational services cluster permissions
The IBM Cloud Pak foundational services operators and service workloads have cluster-level permissions as required for some of the operations that they perform. These permissions are closely tracked and documented so that users can understand any implications that they might have on other workloads in the cluster.
In prior releases of IBM Cloud Pak foundational services, all operators (and some workloads) had many cluster permissions, sometimes more than needed to perform their jobs. In IBM Cloud Pak foundational services version 3.6.x and later, these permissions are restricted. Most operator and workload permissions are limited to a namespace scope, and are selectively projected into namespaces as needed to support the requirements of dependent IBM Cloud Paks®. Users can specifically determine when and where IBM Cloud Pak foundational services permissions have authority over any individual namespace in the cluster. This provides control over workload isolation to the cluster administrator.
Namespace Scope
In order to better support workload isolation, a Namespace Scope operator selectively "projects" IBM Cloud Pak foundational services operator roles and role bindings into a namespace when IBM Cloud Paks or containerized software request foundational services from that namespace. This allows foundational services to perform operations in the namespace.
The cluster administrator can authorize from the command line the namespace that needs to interact with the foundational services.
For more information, see IBM NamespaceScope Operator.
Permissions
Remaining cluster permissions that operators and service workloads have are given in the following tables:
- IBM Common Service Operator
- Operand Deployment Lifecycle Manager
- IBM Namespace Scope Operator
- IBM License Service Operator
- IBM IM (Identity Management) Operator
- IBM IM Operand
- IBM Cert-manager Operator
- IBM Common UI Operator
- IBM Platform UI Operand
- IBM User Data Services Operator
IBM Common Service Operator
The foundational service operator bootstraps foundational services by installing their operators into the cluster as needed.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | configmaps | Create Get List Watch Update Delete |
Used to Create or Update common-service-maps in kube-public namespace. |
| "" | secrets | Get | Required by cert-manager to perform operations such as renewal on secrets associated with the certs. |
| storage.k8s.io | storageclasses | Get List Watch |
Permission to automatically find usable storage classes in the cluster. |
| admissionregistration.k8s.io | mutatingwebhookconfigurations validatingwebhooksconfigurations |
Create Get List Watch Update Delete Patch |
Required by operator to create mutatingwebhookconfigurations and validatingwebhookconfigurations as a part of webhook resources. |
Operand Deployment Lifecycle Manager
The Operand Deployment Lifecycle Manager manages OLM operator subscriptions and deployments for the IBM Cloud Pak foundational services. IBM Cloud Paks request and interact with foundational services through Operand custom resources.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| operator.ibm.com | operandbindinfos operandconfigs operandregistries operandrequests |
Create Get List Watch Update Delete Patch |
The Operand Deployment Lifecycle Manager owns the OperandBindInfo, OperandConfig, OperandRegistry, and OperandRequest resources. It requires cluster-level permissions to view
these resources in case they are created (indicating that foundational services are requested) in any namespace in the cluster. Foundational services interact only with workloads in namespaces that contain one or more of these Operand CRs. |
| operator.ibm.com | certmanagers ibmlicensings meteringreportservers auditloggings |
Create Get List Watch Update Delete Patch |
These CRs are cluster-scoped, and the foundational services deployed by ODLM owns them. These CRs are created only when their services are requested by IBM Cloud Paks. |
| clusterhealth.ibm.com | clusterservicestatuses | Create Get List Watch Update Delete Patch |
ClusterServiceStatus is the CR of ibm-healthcheck-operator. The CR is cluster-scoped. |
| certmanager.k8s.io | clusterissuers | Create Get List Watch Update Delete Patch |
ClusterIssuer is a CR of the ibm-cert-manager-operator. The CR is cluster-scoped. |
IBM Namespace Scope Operator
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "*" | "*" | Create Delete Get List Patch Update Watch DeleteCollection |
The IBM Namespace Scope Operator has no cluster permissions. An OpenShift cluster administrator must manually authorize role and role binding from its namespace. For more information, see Authorizing foundational services to perform operations on workloads in a namespace. The runtime permissions of the operator from the original namespace are aggregated into a role for the operator in the target namespace. The name of role in the target namespace is nss-runtime-managed-role-from-<original-namespace>. |
IBM License Service Operator
The license service is responsible for collecting usage information on any IBM Cloud Paks or containerized offerings running in a cluster to assist customers in managing their license compliance.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| " " | pods namespaces nodes |
Get List |
The cluster permissions for the ibm-license-service service account are read-only access permissions that are required to properly discover the running IBM applications to report license usage of the Virtual Processor
Core (VPC) and Processor Value Unit (PVU) metrics. |
| operator.openshift.io | servicecas | List | These permissions are required to generate the TLS certificate for License Service. |
| operator.ibm.com | ibmlicensings ibmlicensings/status ibmlicensings/finalizers |
Create Delete Get List Patch Update Watch |
The cluster permissions for the ibm-licensing-operator service account are required to properly manage the status of the IBM License Service operator. |
IBM IM Operator
The Identity Management (IM) operator is responsible for deploying and managing user identity management services.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| admissionregistration.k8s.io | mutatingwebhookconfigurations | Create Get List Watch Update Delete |
Permissions to intercept namespace creation by account administrator to support multitenancy (workload isolation by namespace). |
| rbac.authorization.k8s.io | clusterroles clusterrolebindings |
Create Get List Watch Update Delete |
Permissions to support console features. These permissions are also needed to create a set of default cluster roles, such as icp:accountadmin, and cluster role bindings to bind default subjects to those roles. |
| user.openshift.io | users | Create Get List Watch Update Delete |
Permissions to create the default admin user during installation. |
IBM IM Operand (workloads)
IM services only deal with identities and access by IBM Cloud Paks through IBM Cloud Pak foundational services.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| core | namespaces | Get List Watch |
Read-only permissions to support watching a set of namespaces that are created by the account administrator to support multitenancy (workload isolation by namespace). |
| rbac.authorization.k8s.io | clusterrolebindings | Create Get List Watch Update Delete |
Permissions to support cluster administrator login on a public cloud. These permissions are also needed to assign roles to account administrators to support multitenancy. |
| user.openshift.io | users groups identities |
Create Get List Watch Update Delete |
Permissions to manage the shadowed users and groups in OpenShift. |
| oauth.openshift.io | oauthclients | Create Get List Watch Update Delete |
Permissions to support client registration with the OpenID Connect (OIDC) provider. |
| oauth.openshift.io | oauthtokens | Create Get List Watch Update Delete |
Permissions to work with the authentication tokens during login flow. |
| iam.policies.ibm.com | iampolicies | Create Get List Watch Update Delete |
This is a custom resource that is created by the IBM IM operator. The permissions are needed to watch policies that are set by IBM Cloud Pak users across namespaces. This feature is used only by the IBM Cloud Pak for Multicloud Management. |
IBM cert-manager Operator
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | configmaps | Create Delete List Get Watch Update Patch |
Required by cert-manager for leader election and by configmap-watcher service. |
| "" | events | Create Patch |
Required by cert-manager to create and patch events for cert-manager resources. |
| "" | pods services |
Get List Watch Create Delete |
Required by cert-manager to perform operations, such as renewal, on secrets associated with the certs. |
| "" | secrets | Get List Watch Create Update Delete |
Required by cert-manager to perform operations such as renewal on secrets associated with the certs. |
| "" | serviceaccounts | List Watch |
Required by cert-manager to list and watch service accounts. |
admission.registration.k8s.io |
mutatingwebhookconfigurationsvalidatingwebhookconfigurations |
* | Required by operator to create mutatingwebhookconfigurations and validatingwebhookconfigurations as a part of webhook resources. |
admission.certmanager.k8s.io |
certificates issuers clusterissuers certificaterequests |
* | Required by cert-manager-webhook for cert-manager resources admission. |
apiextensions.k8s.io |
customresourcedefinitions |
* | Required by operator to perform operations on all cert-manager operand CRDs. |
| apps | deployments statefulsets daemonsets |
* | Required by cert-manager service to support pod-refresh after cert renewal feature. Also needed by configmap-watcher to restart pods when configmaps change. |
authorization.k8s.io |
subjectaccessreviews | * | Required by cert-manager-webhook for API server authorization and authentication. |
cert-manager.io |
certificates certificaterequests orders challenges clusterissuers issuers |
* | Required by cert-manager to perform all operations on cert-manager resources in any namespace. |
cert-manager.io |
certificates/status certificaterequests/status orders/status challenges/status clusterissuers/status issuers/status certificates/finalizers challenges/finalizers orders/finalizers |
Update | Required by cert-manager to perform all operations on cert-manager resources in any namespace. |
| operator.ibm.com | certmanagerconfigs certmanagerconfigs/finalizers certmanagerconfigs/status |
Create Delete Get List Patch Update Watch |
Required by operator because certmanagers resource is cluster-scoped. The CR is cluster-scoped because the operator deploys cluster-scoped resources. |
operator.open-cluster-management.io |
multiclusterhubs | Get List Watch |
Required by operator to detect if Red Hat Advanced Cluster Management is installed. If installed, then operator does not deploy cert-manager. |
rbac.authorization.k8s.io |
clusterroles clusterrolebindings rolebindings |
Create Get List Watch Delete |
Required by operator to create clusterrole, clusterrolebinding for the cert-manager operands. Required to create rolebinding in kube-system used by cert-manager-webhook. |
security.openshift.io |
securitycontextcontstraints | Use | Required by the operator to enable or disable hostNetwork for cert-manager-webhook. Restricted to resourceNames of restricted and hostnetwork. |
certificates.k8s.io |
certificatesigningrequests certificatesigningrequests/status |
Get List Watch Update |
Used to create and update certificate secret |
networking.k8s.io networking.x-k8s.io |
ingresses httproutes ingresses/finalizers httproutes/finalizers |
Create Delete Get List Update Watch |
Required by cert-manager to support CA bundle injection in ingresses and httproutes. |
IBM Common UI Operator
The following cluster permissions are installed when you install the operator.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" | deployments configmaps statefulsets persistentvolumeclaims pods nodes events services namespaces |
Get List |
The Common UI requires this permission to collect data to display on the Administration panel for resources that are installed in a different namespace. In addition, services are watched to add services automatically to the Common UI header. |
| apps | deployments daemonsets statefulsets |
Get List |
The Common UI requires this permission to collect data to display on the Administration panel. |
| extensions | ingresses | Get List |
This permission is required for watching for new services to add automatically to the Common UI header. |
route.openshift.io |
routes | Get List |
This permission is required to get routes for the Administration panel for any IBM Cloud Pak that is installed in a different namespace. |
IBM Platform UI Operator
The Platform UI (ibm-platformui-operator) operator is responsible for managing users and console access.
| API group | Resources | Verbs | Description |
|---|---|---|---|
| "" batch extensions apps policy rbac.authorization.k8s.io autoscaling route.openshift.io authorization.openshift.io networking.k8s.io metrics.k8s.io template.openshift.io |
pods pods/log poddisruptionbudgets secrets jobs configmaps deployments deployments/scale statefulsets statefulsets/scale replicasets services persistentvolumes persistentvolumeclaims cronjobs pods/exec pods/portforward serviceaccounts namespaces roles rolebindings horizontalpodautoscalers routes routes/custom-host ingresses endpoints cronjob networkpolicies events jobs/status pods/status resourcequotas resourcequotas/status processedtemplates |
apply create get delete watch update edit exec list patch scale deletecollection |
|
security.openshift.io |
'*' | create get list patch update watch delete use |
|
monitoring.coreos.com |
servicemonitors | get create |
|
admissionregistration.k8s.io |
validatingwebhookconfigurations mutatingwebhookconfigurations |
create delete get list patch update watch |
|
apps |
deployments/finalizers | update | |
zen.cpd.ibm.com |
'*' | create delete get list patch update watch |
|
image.openshift.io |
imagestreams imagestreams/layers imagestreams/secrets imagestreams/status imagestreamimages imagestreamimports imagestreammappings imagestreamtags |
create delete get list patch update watch |
|
build.openshift.io |
buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/log builds/details |
create delete get list patch update watch |
|
rbac.authorization.k8s.io |
clusterrole clusterroles clusterrolebinding clusterrolebindings |
create delete get list patch update watch |
|
oidc.security.ibm.com |
client clients |
create delete get list patch update watch use |
|
operator.ibm.com |
operandrequest operandrequests |
create delete get list patch update watch use |
IBM User Data Services Operator
The following cluster permissions are installed when you install the IBM User Data Services Operator.
| API group | Resources | Verbs | Description |
|---|---|---|---|
security.openshift.io |
securitycontextconstraints | Get Create Delete Bind Escalate List Watch Patch |
Permission to create custom SCCs. |
rbac.authorization.k8s.io |
clusterroles clusterrolebindings roles rolebindings |
Get Create Delete Bind Escalate List Watch Patch</br |
|
apiextensions.k8s.io |
customresourcedefinitions | Get Create Delete List Patch Update Watch |
Required by operator to perform operations CRDs. |
| "" | secrets pods pods/exec pods/log services services/finalizers endpoints persistentvolumeclaims persistentvolumes nodes events configmaps serviceaccounts namespaces |
Create Delete Get List Patch Update Watch |
|
config.openshift.io |
clusterversions | Get Create Delete List Patch Update Watch |
|
appsextensions |
deployments daemonsets replicasets statefulsets |
Get Create Delete List Patch Update Watch |
|
uds.ibm.com |
analyticsproxies analyticsproxies/status analyticsproxies/finalizers generatekeys generatekeys/status generatekeys/finalizers |
Get Create Delete List Patch Update Watch |
|
batch |
jobs cronjobs |
Get Create Delete List Patch Update Watch |
|
route.openshift.io |
routes routes/custom-host |
Get Create Delete List Patch Update Watch |
This permission is required to get routes |
ibmevents.ibm.com |
kafkas kafkas/status kafkaconnects kafkaconnects/status kafkaconnects2is kafkaconnects2is/status kafkaconnectors kafkaconnectors/status kafkamirrormakers kafkamirrormakers/status kafkabridges kafkabridges/status kafkamirrormaker2s kafkamirrormaker2s/status kafkarebalances kafkarebalances/status kafkatopics kafkatopics/status kafkausers kafkausers/status |
Get Create Delete List Patch Update Watch |
This permission is required for Kafka |
operators.coreos.com |
operatorgroups subscriptions clusterserviceversions |
Get Create Delete List Patch Update Watch |
|
authentication.k8s.io |
tokenreviews | Create | |
authorization.k8s.io |
subjectaccessreviews | Create | |
networking.k8s.io |
networkpolicies | Get Create Delete List Patch Update Watch |
|
autoscaling |
horizontalpodautoscalers | Get Create Delete List Patch Update Watch |
|
postgres-operator.crunchydata.com |
postgresclusters postgresclusters/status postgresclusters/finalizers |
Get Create Delete List Patch Update Watch |