Maximo Application Suite
Customer-managed

Creating and applying YAML files for deploying IBM® Maximo Visual Inspection

YAML files contain information that is related to security constraints and access permissions, such as cluster roles and cluster role bindings. When you create and apply YAML files with Maximo® Visual Inspection, you can view important information such as graphical processing unit (GPU) usage statistics.

Before you begin

Check that you have the following resources for creating and updating YAML files:

  • A text editor or your preferred application to create the YAML files.
  • Red Hat® OpenShift® CLI to run the commands.
    Note: Your environment might already be set up to run commands. For example, if you are using Maximo Application Suite on Amazon Web Services, you can use the boot node as the command shell.

Procedure

  1. Open a command shell on the Red Hat OpenShift cluster.
  2. Connect as the cluster administrator by using the oc login command.
  3. Create a project in the Red Hat OpenShift cluster and name it using the following format: mas-<instanceId>-visualinspection
    Note:

    If you are using Maximo Application Suite on Amazon Web Services, change InstanceId to the following format: mas-ClusterUniqueString>.

  4. Create a file that is named customscc.yaml and paste in the following text:
    
    allowHostDirVolumePlugin: false
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    allowPrivilegeEscalation: false
    allowPrivilegedContainer: false
    allowedCapabilities:
    - CHOWN
    - DAC_OVERRIDE
    - FOWNER
    - FSETID
    - KILL
    - SETGID
    - SETUID
    - SETPCAP
    - NET_BIND_SERVICE
    - NET_RAW
    - SYS_CHROOT
    allowedUnsafeSysctls: null
    apiVersion: security.openshift.io/v1
    defaultAddCapabilities: null
    fsGroup:
      type: RunAsAny
      ranges:
      - max: 65535
        min: 1
    groups: []
    kind: SecurityContextConstraints
    metadata:
      annotations:
        kubernetes.io/description: "This policy is the most restrictive for IBM Maximo Visual Inspection." 
      name: ibm-mas-visualinspection-scc
    readOnlyRootFilesystem: false
    requiredDropCapabilities: 
    - ALL
    runAsUser:
      type: MustRunAsRange
      uidRangeMax: 65535
      uidRangeMin: 0
    seLinuxContext:
      type: RunAsAny
    seccompProfiles: null
    supplementalGroups:
      type: MustRunAs
      ranges:
      - max: 65535
        min: 1
    users: []
    volumes:
    - configMap
    - downwardAPI
    - emptyDir
    - persistentVolumeClaim
    - projected
    - secret
  5. Create a file that is named clusterrole.yaml and paste in the following text:
    
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
       name: ibm-mas-visualinspection-clusterrole
    rules:
    - apiGroups:
      - 'security.openshift.io'
      resources:
      - 'securitycontextconstraints'
      resourceNames:
      - 'ibm-mas-visualinspection-scc'
      verbs:
      - use
    - apiGroups:
      - ""
      resources:
      - nodes
      - pods
      verbs:
      - list
  6. Create a project in the Red Hat OpenShift cluster and name it using the following format: mas-<instanceId>-visualinspection.

    For Maximo Application Suite on Amazon Web Services, the instanceId has the following format: mas-<ClusterUniqueString>.

  7. Create a file that is called clusterrole_binding.yaml. Paste in the following text and replace <MVI_deployment_namespace> with the name of the project that you created.
    
    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
     name: ibm-mas-visualinspection-clusterrolebinding
    subjects:
    - kind: ServiceAccount
      name: ibm-mas-visualinspection-operator
      namespace: <MVI_deployment_namespace>
    roleRef:
      kind: ClusterRole
      name: ibm-mas-visualinspection-clusterrole
      apiGroup: rbac.authorization.k8s.io
    
  8. To apply the files that you created, run the following commands:
    
    oc apply -f customscc.yaml
    oc apply -f clusterrole.yaml
    oc apply -f clusterrole_binding.yaml