Authorizing foundational services to perform operations on workloads in a namespace

Manage operator and service workload authority across namespaces.

When you install the IBM Cloud Pak foundational services operator, it installs the IBM NamespaceScope Operator in the ibm-common-services namespace. The IBM Cloud Pak foundational services operator also deploys two NamespaceScope resources in the ibm-common-services namespace: common-service and nss-managedby-odlm. The Operand Deployment Lifecycle Manager manages the nss-managedby-odlm custom resource (CR) and adds the namespace of the OperandRequest into this CR. You can also manually add a namespace in the spec.namespaceMembers section of the common-service CR in the ibm-common-services namespace to authorize foundational services with permissions to that namespace. See Updating the CommonService custom resource. If you want to use the command-line interface (CLI) to update the NamespaceScope custom resource, see Updating the NamespaceScope CR by using the CLI.

The IBM NamespaceScope Operator automatically extends the watch and service account permission scope of operators and service workloads to other namespaces in your OpenShift cluster. The operator runs in the ibm-common-services namespace. It watches the target namespace and extends the roles and role bindings of the operator and associated workloads to the namespace that is specified in a NamespaceScope CR.

Following is a sample YAML specification of the NamespaceScope CR:

kind: NamespaceScope
  name: namespacescope
  namespace: ibm-common-services
    - <your-IBM-Cloud-Pak-namespace>
    - <any-other-namespace>
  configmapName: namespace-scope  
    intent: projected

Updating the NamespaceScope CR by using the CLI

Use the following commands to add a namespace in the spec.namespaceMembers section of the NamespaceScope CR:

  1. Get the namespaces that are in the namespaceMembers list to check whether your namespace is already in the list.

    oc -n ibm-common-services get namespacescope common-service -o yaml
  2. If required, add a namespace in the spec.namespaceMembers section of the CR.

    1. Open the CR for editing.
      oc -n ibm-common-services edit namespacescope common-service
    2. Add the namespace to the spec.namespaceMembers list.
    3. Save the changes and close the CR.
  3. Verify whether the namespace is added to the configmap.

    oc -n ibm-common-services get configmap namespace-scope -o yaml

IBM NamespaceScope Operator (Restricted)

By default, the IBM NamespaceScope Operator has cluster administrator permissions, which you can use to automatically authorize permissions in your IBM Cloud Pak namespace.

If you do not want this operator to have cluster administrator permissions, you can add manualManagement: true in the spec section of the CommonService CR. For more information about how to access the CommonService CR, see Configuring IBM Cloud Pak foundational services by using the CommonService custom resource. See the following sample:

kind: CommonService
  name: common-service
  namespace: ibm-common-services
  size: medium
  manualManagement: true

When you add manualManagement: true, the IBM NamespaceScope Operator Restricted is installed in place of the IBM NamespaceScope Operator.

The IBM NamespaceScope Operator Restricted has permission only within the ibm-common-services namespace. You need to manually authorize the IBM NamespaceScope Operator Restricted with permissions to your target namespace. After you create the CR with manualManagement: true, complete these steps from your OpenShift Container Platform command-line interface (CLI).

  1. Log in to your cluster as a cluster administrator by using the oc login command.
  2. Download the script that you need to manually authorize namespaces:
  3. Run the script.

    ./ <namespace>

    For example, if you want the service account of the IBM NamespaceScope Operator Restricted that is in the ibm-common-services namespace to have namespace administrator permission in the ibm-common-services namespace, you would run the following command:

    ./ common-service

    To revoke the permission, you would run this command:

    ./ common-service -delete