Roles and permissions
Learn about the roles and permissions that are needed for deploying IBM® Netcool® Operations Insight® on Red Hat® OpenShift®. Different roles are needed for different deployment types.
Roles
OwnNamespace
mode. All roles are deployed in one
namespace for OwnNamespace
mode. For SingleNamespace
mode, there
is an operator namespace and an operand namespace, which are listed in the following table. Roles
are deployed in one or both namespaces for SingleNamespace
mode.
Role | Deployment type | Namespaces for SingleNamespace mode |
---|---|---|
cloud-native-postgresql.v1.18.1 |
All | Operator |
cloud-native-postgresql.v1.18.1-postgresql-operator--5cd8974cf7 |
All | Operator and operand |
edb-license-role |
All | Operator |
noi.v1.10.0 |
All | Operator |
noi.v1.10.0-noi-operator-6b78fb7965 |
All | Operator and operand |
postgresql-operator-controller-manager-1-18-1-service-cert |
All | Operator |
<release_name>-noi-postgres-cluster |
All | Operand |
<release_name>-proxy |
Full cloud and geo-redundant cloud deployments | Operand |
<release_name>-cassandra-role |
Geo-redundant deployments | Operand |
<release_name>-geored-ui-health-role |
Geo-redundant deployments This role can be disabled for separation of duties. |
Operand |
nasm-app-disco-role |
Cloud | |
<release_name>-topology-netdisco-get-role |
Cloud This role is applied if the Network Discovery observer is enabled. |
Role examples
cloud-native-postgresql.v1.18.1
-
The
cloud-native-postgresql.v1.18.1
role applies to all deployment types inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operator namespace.Example:kind: Role name: cloud-native-postgresql.v1.18.1 rules: - apiGroups: - operators.coreos.com resourceNames: - cloud-native-postgresql.v1.18.1 resources: - operatorconditions verbs: - get - update - patch
cloud-native-postgresql.v1.18.1-postgresql-operator--5cd8974cf7
-
The
cloud-native-postgresql.v1.18.1-postgresql-operator--5cd8974cf7
role applies to all deployment types inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operator namespace and operand namespace.Example:kind: Role name: cloud-native-postgresql.v1.18.1-postgresql-operator--5cd8974cf7 rules: - apiGroups: - "" resources: - configmaps verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - configmaps/status verbs: - get - patch - update - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "" resources: - persistentvolumeclaims verbs: - create - delete - get - list - patch - watch - apiGroups: - "" resources: - pods verbs: - create - delete - get - list - patch - watch - apiGroups: - "" resources: - pods/exec verbs: - create - delete - get - list - patch - watch - apiGroups: - "" resources: - pods/status verbs: - get - apiGroups: - "" resources: - secrets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - secrets/status verbs: - get - patch - update - apiGroups: - "" resources: - serviceaccounts verbs: - create - get - list - patch - update - watch - apiGroups: - "" resources: - services verbs: - create - delete - get - list - patch - update - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations verbs: - get - list - update - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - list - update - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - update - apiGroups: - apps resources: - deployments verbs: - create - delete - get - list - patch - update - watch - apiGroups: - batch resources: - jobs verbs: - create - delete - get - list - patch - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update - apiGroups: - monitoring.coreos.com resources: - podmonitors verbs: - create - delete - get - list - patch - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.k8s.enterprisedb.io resources: - backups verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.k8s.enterprisedb.io resources: - backups/status verbs: - get - patch - update - apiGroups: - postgresql.k8s.enterprisedb.io resources: - clusters verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.k8s.enterprisedb.io resources: - clusters/finalizers verbs: - update - apiGroups: - postgresql.k8s.enterprisedb.io resources: - clusters/status verbs: - get - patch - update - watch - apiGroups: - postgresql.k8s.enterprisedb.io resources: - poolers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.k8s.enterprisedb.io resources: - poolers/finalizers verbs: - update - apiGroups: - postgresql.k8s.enterprisedb.io resources: - poolers/status verbs: - get - patch - update - watch - apiGroups: - postgresql.k8s.enterprisedb.io resources: - scheduledbackups verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.k8s.enterprisedb.io resources: - scheduledbackups/status verbs: - get - patch - update - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings verbs: - create - get - list - patch - update - watch - apiGroups: - rbac.authorization.k8s.io resources: - roles verbs: - create - get - list - patch - update - watch
edb-license-role
-
The
edb-license-role
role applies to all deployment types inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operator namespace.Example:kind: Role name: edb-license-role rules: - apiGroups: - "" resources: - pods - secrets verbs: - create - update - patch - get - list - delete - watch
noi.v1.10.0
-
The
noi.v1.10.0
role applies to all deployment types inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operator namespace.Example:kind: Role name: noi.v1.10.0 rules: - apiGroups: - operators.coreos.com resourceNames: - noi.v1.10.0 resources: - operatorconditions verbs: - get - update - patch
noi.v1.10.0-noi-operator-6b78fb7965
-
The
noi.v1.10.0-noi-operator-6b78fb7965
role applies to all deployment types inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operator namespace and operand namespace.Example:kind: Role name: noi.v1.10.0-noi-operator-6b78fb7965 rules: - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - patch - update - delete - create - watch - apiGroups: - rbac.authorization.k8s.io resources: - roles - rolebindings - clusterroles - clusterrolebindings verbs: - get - list - patch - update - delete - create - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - patch - update - delete - create - watch - apiGroups: - "" resources: - pods - services - services/finalizers - endpoints - persistentvolumeclaims - events - configmaps - secrets - role - rolebinding verbs: - get - list - patch - update - delete - create - watch - apiGroups: - "" - extensions resources: - deployments - configmaps - ingresses - services - serviceaccounts - persistentvolumeclaims verbs: - get - list - patch - update - delete - create - watch - apiGroups: - "" resources: - namespaces verbs: - get - apiGroups: - apps resources: - deployments - deployments/status - deployments/finalizers - daemonsets - replicasets - statefulsets - statefulsets/status verbs: - get - list - patch - update - delete - create - watch - apiGroups: - batch resources: - jobs - cronjobs verbs: - get - list - patch - update - delete - create - watch - apiGroups: - route.openshift.io resources: - routes - routes/custom-host verbs: - get - list - patch - update - delete - create - watch - apiGroups: - noi.ibm.com resources: - nois - nois/status - nois/finalizers - noiformations - noiformations/status - noiformations/finalizers - noihybrids - noihybrids/status - noihybrids/finalizers - noiconnectionlayers - noiconnectionlayers/status - noiconnectionlayers/finalizers verbs: - get - list - patch - update - delete - create - watch - apiGroups: - cem.ibm.com resources: - cemformations - cemformations/status - cemformations/finalizers - cemserviceinstances verbs: - get - list - patch - update - delete - create - watch - apiGroups: - monitoring.coreos.com resources: - servicemonitors verbs: - get - create - apiGroups: - networking.k8s.io resources: - networkpolicies - ingresses verbs: - create - delete - get - list - patch - update - watch - apiGroups: - asm.ibm.com resources: - asms - asmformations - asmformations/status - asmformations/finalizers - appdiscoes - appdiscoes/status - appdiscoes/finalizers verbs: - get - list - patch - update - delete - create - watch - apiGroups: - "" resources: - configmaps/status - endpoints verbs: - get - update - patch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - operators.coreos.com resources: - subscriptions - subscriptions/status - subscriptions/finalizers verbs: - get - list - watch - apiGroups: - postgresql.k8s.enterprisedb.io resources: - clusters - clusters/status - clusters/finalizers - backups - backups/status - scheduledbackups - scheduledbackups/status verbs: - get - list - watch - create - update - patch - delete
postgresql-operator-controller-manager-1-18-1-service-cert
-
The
postgresql-operator-controller-manager-1-18-1-service-cert
role applies to all deployment types inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operator namespace.Example:kind: Role name: postgresql-operator-controller-manager-1-18-1-service-cert rules: - apiGroups: - "" resourceNames: - postgresql-operator-controller-manager-1-18-1-service-cert resources: - secrets verbs: - get
<release_name>-noi-postgres-cluster
-
The
<release_name>-noi-postgres-cluster
role applies to all deployment types inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operand namespace.Example:kind: Role name: noi.v1.10.0 rules: - apiGroups: - operators.coreos.com resourceNames: - noi.v1.10.0 resources: - operatorconditions verbs: - get - update - patch
<release_name>-proxy
-
The
<release_name>-proxy
role applies to full cloud and geo-redundant cloud deployment types inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operand namespace.Example:kind: Role name: evtmanager -proxy rules: - apiGroups: - "" resources: - configmaps verbs: - update - patch - watch - list - get
<release_name>-cassandra-role
-
The
<release_name>-cassandra-role
role applies to geo-redundant deployments inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operand namespace.Example:kind: Role name: evtmanager-cassandra-role rules: - apiGroups: - "" resources: - endpoints - pods verbs: - get - apiGroups: - "" resources: - configmaps verbs: - get - update - delete
<release_name>-geored-ui-health-role
-
The
<release_name>-geored-ui-health-role
role applies to geo-redundant deployments inOwnNamespace
orSingleNamespace
mode. InSingleNamespace
mode, this role applies to the operand namespace. Disable this role for separation of duties.Example:kind: Role name: evtmanager-geored-ui-health-role rules: - apiGroups: - apps resourceNames: - evtmanager-webgui-primary resources: - statefulsets/status verbs: - get - apiGroups: - apps resourceNames: - evtmanager-ibm-hdm-common-ui-uiserver resources: - deployments/status verbs: - get
nasm-app-disco-role
-
The
nasm-app-disco-role
role applies to cloud deployments inOwnNamespace
mode. This role is only deployed if the Advanced Agile Discovery extension is enabled. for more information, see Installing extensions.Example:kind: Role name: nasm-app-disco-role rules: - apiGroups: - asm.ibm.com resources: - appdiscoes verbs: - create - delete - get - list - patch - update - watch - apiGroups: - asm.ibm.com resources: - appdiscoes/status verbs: - get - patch - update - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - configmaps - secrets - services - pods verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - configmaps/status - endpoints verbs: - get - update - patch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - create - update - patch - delete - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - watch - create - update - patch - delete - apiGroups: - networking.k8s.io resources: - networkpolicies - ingresses verbs: - get - list - watch - create - update - patch - delete - apiGroups: - apps resources: - deployments verbs: - get - list - watch - create - update - patch - delete - apiGroups: - batch resources: - jobs verbs: - get - list - watch - create - update - patch - delete - apiGroups: - route.openshift.io resources: - routes - routes/custom-host verbs: - get - list - watch - create - update - patch - delete
<release_name>-topology-netdisco-get-role
-
The
<release_name>-topology-netdisco-get-role
role applies to cloud deployments.Example:kind: Role name: evtmanager-topology-netdisco-get-role rules: - apiGroups: - "" resources: - services - endpoints - pods verbs: - get - list