Authorizing users for z/OS Cloud Broker by using role-based access control (RBAC)

You can authorize access to IBM® z/OS® Cloud Broker resources by using the Kubernetes and Red Hat® OpenShift® Container Platform role-based access control (RBAC) facilities.

RBAC objects, including rules, roles, and role bindings, allow you to define permissions and assign those permissions to users. Rules define the actions that are applied to specified resources in an OpenShift Container Platform cluster. A Role or ClusterRole resource contains a set of rules that represent permissions and can be bound to users or groups. In turn, a RoleBinding or ClusterRoleBinding resource respectively associates users or groups with a created Role or ClusterRole resource at the namespace or cluster scope. For more information about RBAC for OpenShift Container Platform, see Using RBAC to define and apply permissions External link icon in the OpenShift Container Platform documentation.

Important: To install the z/OS Cloud Broker Operator, you must be granted the cluster-admin ClusterRole by using a ClusterRoleBinding. Only a cluster-admin role user can grant other users the cluster-admin access. For more information about how to add role-based control to a user, see Creating a cluster admin External link icon in the OpenShift Container Platform documentation.

Note: Users who have cluster-admin privileges do not need to apply the following examples because they already have authority to create all resources within OpenShift Container Platform.

1. Define rules and roles in YAML files.

The following RBAC policies are the minimum authorizations that are required for users to work with z/OS Cloud Broker. The policies define a cluster-wide role (ClusterRole), which means that it applies to all projects in a cluster, that is called zoscb-basic. The role can be bound to users or groups, and it allows users to do the following tasks:

  • View a specified project in OpenShift Container Platform.
  • View workloads (Deployments and Pods) that are running in a project.
  • View installed operators in a project
  • View created custom resource definitions (CustomResourceDefinitions).
  • Create, read, update, and delete z/OS Cloud Broker instances and all suboperator instances.

Create a YAML (.yml) file, and copy the following content into the file. This procedure assumes that the YAML file is named zoscb-basic.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: zoscb-basic
rules:
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
  # # Needed to view OCP projects UI
  - apiGroups:
      - project.openshift.io
    verbs:
      - get
    resources:
      - projects
  # # Needed to view pods, logs, and general status - no create/update/exec
  - apiGroups:
      - ""
    verbs:
      - get
      - list
      - watch
    resources:
      - pods
      - pods/log
      - pods/status
      - events
      - namespaces
      - namespaces/status
  # Needed to view deployments and scale
  - apiGroups:
      - "apps"
    verbs:
      - get
      - list
      - watch
    resources:
      - deployments
      - deployments/scale
      - replicasets
  # Needed to view Installed Operators
  - apiGroups:
      - operators.coreos.com
    resources:
      - clusterserviceversions
      - catalogsources
      - installplans
      - subscriptions
      - operatorgroups
    verbs:
      - get
      - list
      - watch
  # Needed for working with z/OS Cloud Broker CRs
  - apiGroups:
      - zoscb.ibm.com
      - zpm.zoscb.ibm.com
      - zos-go.zpm.zoscb.ibm.com
      - zos-java.zpm.zoscb.ibm.com
      - zos-nodejs.zpm.zoscb.ibm.com
      - zos-opencpp.zpm.zoscb.ibm.com
      - zos-package-manager.zpm.zoscb.ibm.com
      - zos-python.zpm.zoscb.ibm.com
      - zos-zoau.zpm.zoscb.ibm.com
    resources:
      - "*"
    verbs:
      - create
      - update
      - get
      - list
      - watch
      - delete

2. Apply the roles to your OpenShift Container Platform cluster and bind the roles to users.

Important: You must either be a cluster-admin to perform the following steps or have RBAC privileges to create role bindings for users or groups, or both.

  1. Log in to the Red Hat OpenShift Container Platform web console for your cluster using your cluster-admin credentials. (See Logging in to Red Hat OpenShift Container Platform.)

  2. In the menu bar, from your user name menu, select Copy Login Command.

    Copy Login Command selection

  3. In the new browser tab that opens, if necessary, log in using your your cluster-admin credentials.

  4. Select Display Token.

  5. Copy the command that is displayed in the Log in with this token section of the token information page.

    Token information page

  6. In a command prompt, paste the command you copied in the preceding step and press Enter to log in to Red Hat OpenShift® Container Platform.

  7. Apply the zoscb-basic role to Red Hat OpenShift Container Platform using the following command.
    Note: If you named the YAML file something other than zoscb-basic.yml, be sure to specify that filename instead in the command.

    oc create -f cluster-scoped/zoscb-basic.yml

  8. Bind the zoscb-basic role to a user, and limit the scope of the role to a namespace using the following command:

    oc project <project-name>
oc adm policy add-role-to-user zoscb-basic <user-name>