Some planning and installation tasks can be completed only by a Red Hat®
OpenShift® cluster administrator, while other tasks
can be completed by a project administrator. Learn which role is set to complete each task, based on
the installation method that you prefer.
Administrative roles
IBM Guardium® Insights relies on a separation of roles
and duties. By doing so, the installation workflow proceeds with as few restrictions as
possible.
Two administrative roles are identified and associated with a different level of permissions:
- OpenShift Cluster administrator
- Project administrator
The following table describes the types of installation tasks that are associated with each
administrative role, depending on the installation method that is used.
Role |
Express installation method tasks |
Specialized installation method tasks |
Red Hat
OpenShift cluster administrator |
- If IBM Guardium Insights foundational services is not already
installed, create the IBM Guardium Insights foundational services
project (namespace ibm-common-services) and associated operator groups. The
IBM Guardium Insights for Data platform operator and all Guardium Insights service operators are installed in this
namespace.
- Create a project for each instance of Guardium Insights on a single cluster. For example, for a single
instance, cpd-instance.
- Create the catalog source for IBM Guardium Insights foundational
services, the Guardium Insights operator, and any services
that you plan to install.
- Install the IBM Guardium Insights foundational services.
- Create the operator subscriptions for the IBM Guardium Insights
for Data platform operator and any services that you plan to install.
- Configure the namespaces by defining namespace quotas and Limit Ranges and
granting Guardium Insights Admins access to specific
instance namespaces.
- Install and configure the workload storage.
- Create any custom security context constraints (SCC) that are required for the additional
services that you plan to install.
- Change the node settings that are required for the additional services that you plan to
install.
- Change the node tuning and machine pool configurations for kernel settings
and cri-o settings (such as pids-limit, ulimit) that are
required for the additional services that you plan to install.
- Set up the image content source policy and any secrets to pull images from
the private container registry.
- Handle encryption and auditing as well as other operations such as adding
nodes, replacing nodes and others.
|
- If IBM Guardium Insights foundational services is not already
installed, create the IBM Guardium Insights foundational services
project (namespace ibm-common-services). Create the associated operator group.
- Create a dedicated project (for example, cpd-operator) where the IBM Guardium Insights for Data platform operator and all Guardium Insights service operators will be installed. Create the
associated operator group.
- Create a project for each instance of Guardium Insights on a single cluster. For example, for a single
instance, cpd-instance.
- Create the catalog source for IBM Guardium Insights foundational
services, the Guardium Insights operator, and any services
that you plan to install.
- Install the IBM Guardium Insights foundational services.
- Create the operator subscriptions for the IBM Guardium Insights
for Data platform operator and any services that you plan to install.
- Configure the namespaces by defining namespace quotas and Limit Ranges and
granting Guardium Insights Admins access to specific
instance namespaces.
- Install and configure the workload storage.
- Create any custom security context constraints (SCC) that are required for the additional
services that you plan to install.
- Change the node settings that are required for the additional services that you plan to
install.
- Change the node tuning and machine pool configurations for kernel settings
and cri-o settings (such as pids-limit, ulimit) that are
required for the additional services that you plan to install.
- Set up the image content source policy and any secrets to pull images from
the private container registry.
- Handle encryption and auditing as well as other operations such as adding
nodes, replacing nodes and others.
|
Project administrator for the specified project |
- Create an operand request to grant permission to the IBM Guardium Insights for Data platform operator and the IBM Guardium Insights foundational services operator to manage the project
where Guardium Insights will be installed. (For example,
the cpd-instance project.)
- Install Guardium Insights by creating a custom
resource in the appropriate project. (For example, in the cpd-instance
project.)
- Optionally integrate with the IAM service.
- Optionally create a custom route to the platform.
- Secure communication ports.
- Set up the web client.
- Install additional services.
|
- Create an operand request to grant permission to the IBM Guardium Insights for Data platform operator and the IBM Guardium Insights foundational services operator to manage the project
where Guardium Insights will be installed. (For example,
the cpd-instance project)
- Update the IBM NamespaceScope operator in the
cpd-operator project to watch the project where Guardium Insights will be installed. (For example, the
cpd-instance project.)
- Install Guardium Insights by creating a custom
resource in the appropriate project. (For example, in the cpd-instance
project.)
- Optionally integrate with the IAM service.
- Optionally create a custom route to the platform.
- Secure communication ports.
- Set up the web client.
- Install additional services.
|