Installation roles and personas
Administrative roles
IBM® Concert supports separating roles and duties so the installation can proceed with as few restrictions as possible.
A Red Hat OpenShift Container Platform can complete all of the installation tasks. However, use the roles as they are defined in the following sections so that users require fewer permissions to complete some of the installation tasks.
The installation and upgrade tasks use the following tags to help you identify which users are involved in a task:
- Cluster administrator
- Registry administrator
Cluster administrator
A cluster administrator is responsible for setting up and preparing the cluster for IBM
Concert. To complete these tasks, you must have the
cluster-admin
role.
A cluster administrator must complete the following tasks:
- Setting up a cluster, which includes
- Installing Red Hat OpenShift Container Platform, if it is not already installed
- Installing persistent storage, if it is not already installed
- Installing Multicloud Object Gateway, if needed
- Setting up a private container registry, if needed
- Ensuring the cluster is security hardened
- Adding, expanding, or replacing nodes, as needed
- Preparing the cluster for the IBM
Concert, which
includes
- Updating the global image pull secret
- Manually creating the projects (namespaces) where the shared cluster components will be installed
- Installing the shared cluster components
- Configuring persistent storage for IBM Concert
- Creating custom security context constraints (SCCs) for services, if needed
- Adjusting node settings for services, if needed
- Preparing the cluster for an instance of IBM
Concert, which includes
- (Optional) Manually creating the projects (namespaces) for the instance of IBM Concert
- Setting namespace quotas and limit ranges on the projects that are associated the instance
- Applying the required permissions to the instance to ensure that the operators project for the
instance can watch the operands project where the IBM
Concert control plane and services will be installed
If the instance will include tethered projects, ensure that you apply the required permissions to the tethered projects
- Assigning the required roles to the user or users who will administer the instance
Each instance of IBM Concert is logically isolated from any other instances of Cloud Pak for Data on the cluster. For more information about the private topology, see Supported project (namespace) configurations.
Registry administrator
If you use a private container registry, you must have a user who can push images to the private container registry, such as a registry administrator.
The registry administrator is responsible for mirroring the IBM Concert software images from the IBM Entitled Registry to the private container registry.
The registry administrator does not need access to the Red Hat OpenShift Container Platform cluster.