Cluster role permissions

Role-based access control (RBAC) governs access to resources based on defined roles. Operators use ClusterRole permissions to act across the entire cluster, such as managing resources in multiple namespaces or monitoring cluster-wide configurations.

Most operators in a namespace-scoped IBM Content Cortex deployment do not require ClusterRole permissions. Permissions are defined only for the namespace of the deployment, which avoids the risk of unauthorized access from outside of the namespace.

However, the IBM Licensing Operator is an exception that requires specific cluster role permissions to manage licensing resources across the cluster, monitor deployments, and integrate with cluster-wide services. Other operators in the deployment do not need these cluster-level permissions. The following table lists the cluster role permissions needed specifically for the IBM Licensing Operator.

Table 1. IBM Licensing Operator cluster role permissions
API Groups Resources Verbs Description
""
  • configmaps
  • events
  • secrets
  • services
  • services/finalizers
  • create
  • delete
  • get
  • list
  • patch
  • update
  • watch
 Manages core Kubernetes resources including configuration maps, events, secrets, and services for the licensing operator.
""
  • namespaces
  • serviceaccounts
  • get
  • list
  • watch
 Monitors namespaces and service accounts across the cluster.
"" pods
  • get
  • list
  • patch
  • update
  • watch
 Monitors and manages pod resources for licensing tracking.
apps deployments
  • create
  • delete
  • get
  • list
  • patch
  • update
  • watch
 Manages deployment resources for the licensing service.
  • extensions
  • networking.k8s.io
  • ingresses
  • networkpolicies
  • create
  • delete
  • get
  • list
  • patch
  • update
  • watch
 Configures network ingress and policies for the licensing service.
marketplace.redhat.com meterdefinitions
  • create
  • get
  • list
  • update
  • watch
 Integrates with Red Hat Marketplace for metering and billing.
monitoring.coreos.com servicemonitors
  • create
  • delete
  • get
  • list
  • update
  • watch
 Configures Prometheus service monitors for licensing metrics.
operator.ibm.com
  • ibmlicensings
  • ibmlicensings/finalizers
  • ibmlicensings/status
  • create
  • delete
  • get
  • list
  • patch
  • update
  • watch
 Manages IBM Licensing custom resources and their lifecycle.
operator.ibm.com operandbindinfos
  • delete
  • get
  • list
  • watch
 Monitors operand binding information for service integration.
operators.coreos.com operatorgroups
  • get
  • list
  • patch
  • update
  • watch
 Manages operator group configurations for multi-tenant deployments.
route.openshift.io
  • routes
  • routes/custom-host
  • create
  • delete
  • get
  • list
  • patch
  • update
  • watch
 Configures OpenShift routes for external access to the licensing service.