Authorizing foundational services to perform operations on workloads in a namespace
Manage operator and service workload authority across namespaces.
When you install the IBM Cloud Pak foundational services operator, it installs the IBM NamespaceScope Operator in the ibm-common-services
namespace. The IBM Cloud Pak foundational services operator also deploys two NamespaceScope
resources in the ibm-common-services
namespace: common-service
and nss-managedby-odlm
. The Operand Deployment Lifecycle Manager manages
the nss-managedby-odlm
custom resource (CR) and adds the namespace of the OperandRequest
into this CR. You can also manually add a namespace in the spec.namespaceMembers
section of the common-service
CR in the ibm-common-services namespace to authorize foundational services with permissions to that namespace. See Updating the CommonService custom resource. If you want to use the command-line interface (CLI)
to update the NamespaceScope
custom resource, see Updating the NamespaceScope
CR by using the CLI.
The IBM NamespaceScope Operator automatically extends the watch and service account permission scope of operators and service workloads to other namespaces in your OpenShift cluster. The operator runs in the ibm-common-services
namespace. It watches the target namespace and extends the roles and role bindings of the operator and associated workloads to the namespace that is specified in a NamespaceScope
CR.
From foundational services version 3.22 onwards, the runtime permissions of the operator from the original namespace are aggregated into a role for the operator in the target namespace. The name of role in the target namespace is nss-runtime-managed-role-from-<original-namespace>
.
Following is a sample YAML specification of the NamespaceScope
CR:
apiVersion: operator.ibm.com/v1
kind: NamespaceScope
metadata:
name: namespacescope
namespace: ibm-common-services
spec:
namespaceMembers:
- <your-IBM-Cloud-Pak-namespace>
- <any-other-namespace>
configmapName: namespace-scope
restartLabels:
intent: projected
-
The
namespaceMembers
contains a list of namespaces in the cluster that have the following requirement:-
These namespaces need to be watched by specific operators or operands that run in the
ibm-common-services
namespace. -
The service accounts of the specific operator or operand pods in the
ibm-common-services
namespace are authorized to these namespaces.The namespace where you create the
NamespaceScope
CR, that is theibm-common-services
, is always considered as a namespace member, even if you do not add it to the list in the CR.
-
-
The
configmapName
is the name of a configmap that is created to contain a namespaces key. The key has a common-separated list of the namespaces that need to be watched. All operators and operands that want to participate in namespace extension must be configured to watch this key. TheconfigmapName
parameter is optional. The default value isnamespace-scope
. See the following example:env: - name: WATCH_NAMESPACE valueFrom: configMapKeyRef: name: namespace-scope key: namespaces
-
The
restartLabels
list specifies the labels for the operator and operand pods that need to be restarted when thenamespaceMembers
list changes. The pods restart so that they can reset their watch parameters. Moreover, the IBM NamespaceScope Operator copies the roles that are used by these pods to the target namespaces that are in thenamespaceMembers
list. TherestartLabels
parameter is optional. The default label isintent=projected
.
Updating the NamespaceScope
CR by using the CLI
Use the following commands to add a namespace in the spec.namespaceMembers
section of the NamespaceScope
CR:
-
Get the namespaces that are in the
namespaceMembers
list to check whether your namespace is already in the list.oc -n ibm-common-services get namespacescope common-service -o yaml
-
If required, add a namespace in the
spec.namespaceMembers
section of the CR.-
Open the CR for editing.
oc -n ibm-common-services edit namespacescope common-service
-
Add the namespace to the
spec.namespaceMembers
list. -
Save the changes and close the CR.
-
-
Verify whether the namespace is added to the configmap.
oc -n ibm-common-services get configmap namespace-scope -o yaml
IBM NamespaceScope Operator (Restricted)
By default, the IBM NamespaceScope Operator has cluster administrator permissions, which you can use to automatically authorize permissions in your IBM Cloud Pak namespace.
If you do not want this operator to have cluster administrator permissions, you can add manualManagement: true
in the spec
section of the CommonService
CR. For more information about how to access the CommonService
CR, see Configuring IBM Cloud Pak foundational services by using the CommonService custom resource.
See the following sample:
apiVersion: operator.ibm.com/v3
kind: CommonService
metadata:
name: common-service
namespace: ibm-common-services
spec:
size: medium
manualManagement: true
When you add manualManagement: true
, the IBM NamespaceScope Operator Restricted is installed in place of the IBM NamespaceScope Operator.
The IBM NamespaceScope Operator Restricted has permission only within the ibm-common-services
namespace. You need to manually authorize the IBM NamespaceScope Operator Restricted with permissions to
your target namespace. After you create the CR with manualManagement: true
, complete these steps from your OpenShift Container Platform command-line interface (CLI).
-
Log in to your cluster as a cluster administrator by using the
oc login
command. -
Download the script that you need to manually authorize namespaces:
-
For foundational services installer versions 3.6 and 3.7, download the following script:
wget https://raw.githubusercontent.com/IBM/ibm-namespace-scope-operator/release-1.1/scripts/authorize-namespace.sh
-
For foundational services installer versions 3.8 to 3.21, download the following script:
wget https://raw.githubusercontent.com/IBM/ibm-namespace-scope-operator/release-ltsr/scripts/authorize-namespace.sh
-
For foundational services installer version 3.22 and later, download the following script:
wget https://raw.githubusercontent.com/IBM/ibm-namespace-scope-operator/master/scripts/authorize-namespace.sh
-
-
Run the script.
./authorize-namespace.sh <namespace>
For example, if you want the service account of the IBM NamespaceScope Operator Restricted that is in the
ibm-common-services
namespace to have namespace administrator permission in thecloudpak-namespace
namespace, which is the namespace where IBM Cloud Pak is installed, you would run the following command:./authorize-namespace.sh cloudpak-namespace
To revoke the permission, you would run this command:
./authorize-namespace.sh cloudpak-namespace -delete