Installation roles and personas

Only a Red Hat® OpenShift® cluster administrator can complete certain planning and installation tasks. A project administrator can complete other tasks. Learn which role is set to complete each task, based on the installation method that you prefer.

Administrative roles

IBM® Concert supports separating roles and duties so the installation can proceed with as few restrictions as possible.

A Red Hat OpenShift Container Platform can complete all of the installation tasks. However, use the roles as they are defined in the following sections so that users require fewer permissions to complete some of the installation tasks.

The installation and upgrade tasks use the following tags to help you identify which users are involved in a task:

  • Cluster administrator
  • Registry administrator

Cluster administrator

A cluster administrator is responsible for setting up and preparing the cluster for IBM Concert. To complete these tasks, you must have the cluster-admin role.

A cluster administrator must complete the following tasks:

  • Setting up a cluster, which includes
    • Installing Red Hat OpenShift Container Platform, if it is not already installed
    • Installing persistent storage, if it is not already installed
    • Installing Multicloud Object Gateway, if needed
    • Setting up a private container registry, if needed
    • Ensuring the cluster is security hardened
    • Adding, expanding, or replacing nodes, as needed
  • Preparing the cluster for the IBM Concert, which includes
    • Updating the global image pull secret
    • Manually creating the projects (namespaces) where the shared cluster components will be installed
    • Installing the shared cluster components
    • Configuring persistent storage for IBM Concert
    • Creating custom security context constraints (SCCs) for services, if needed
    • Adjusting node settings for services, if needed
  • Preparing the cluster for an instance of IBM Concert, which includes
    • (Optional) Manually creating the projects (namespaces) for the instance of IBM Concert
    • Setting namespace quotas and limit ranges on the projects that are associated the instance
    • Applying the required permissions to the instance to ensure that the operators project for the instance can watch the operands project where the IBM Concert control plane and services will be installed

      If the instance will include tethered projects, ensure that you apply the required permissions to the tethered projects

    • Assigning the required roles to the user or users who will administer the instance

    Each instance of IBM Concert is logically isolated from any other instances of Cloud Pak for Data on the cluster. For more information about the private topology, see Supported project (namespace) configurations.

Registry administrator

If you use a private container registry, you must have a user who can push images to the private container registry, such as a registry administrator.

The registry administrator is responsible for mirroring the IBM Concert software images from the IBM Entitled Registry to the private container registry.

The registry administrator does not need access to the Red Hat OpenShift Container Platform cluster.