YAML files contain information that is related to security constraints and access
permissions, such as cluster roles and cluster role bindings. When you create and apply YAML files
with Maximo® Visual Inspection, you can view important information such as
graphical processing unit (GPU) usage statistics.
Before you begin
Check that you have the following resources for creating and updating YAML files:
Procedure
- Open a command shell on the Red Hat OpenShift cluster.
- Connect as the cluster administrator by using the oc login command.
- Create a project in the Red Hat OpenShift cluster and name it using the following
format: mas-<instanceId>-visualinspection
Note:
If you are using Maximo Application Suite on Amazon Web Services, change InstanceId
to the following format:
mas-ClusterUniqueString>
.
-
Create a file that is named customscc.yaml and paste in the following
text:
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- SETGID
- SETUID
- SETPCAP
- NET_BIND_SERVICE
- NET_RAW
- SYS_CHROOT
allowedUnsafeSysctls: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
ranges:
- max: 65535
min: 1
groups: []
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: "This policy is the most restrictive for IBM Maximo Visual Inspection."
name: ibm-mas-visualinspection-scc
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsRange
uidRangeMax: 65535
uidRangeMin: 0
seLinuxContext:
type: RunAsAny
seccompProfiles: null
supplementalGroups:
type: MustRunAs
ranges:
- max: 65535
min: 1
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
-
Create a file that is named clusterrole.yaml and paste in the following
text:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ibm-mas-visualinspection-clusterrole
rules:
- apiGroups:
- 'security.openshift.io'
resources:
- 'securitycontextconstraints'
resourceNames:
- 'ibm-mas-visualinspection-scc'
verbs:
- use
- apiGroups:
- ""
resources:
- nodes
- pods
verbs:
- list
-
Create a project in the Red Hat OpenShift cluster and name it using the following
format:
mas-<instanceId>-visualinspection
.
For Maximo Application Suite on Amazon Web Services, the
instanceId
has the following format:
mas-<ClusterUniqueString>
.
-
Create a file that is called clusterrole_binding.yaml. Paste in the
following text and replace <MVI_deployment_namespace> with the name of the
project that you created.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ibm-mas-visualinspection-clusterrolebinding
subjects:
- kind: ServiceAccount
name: ibm-mas-visualinspection-operator
namespace: <MVI_deployment_namespace>
roleRef:
kind: ClusterRole
name: ibm-mas-visualinspection-clusterrole
apiGroup: rbac.authorization.k8s.io
-
To apply the files that you created, run the following commands:
oc apply -f customscc.yaml
oc apply -f clusterrole.yaml
oc apply -f clusterrole_binding.yaml