Configure Red Hat® OpenShift security
To enable the OpenShift® cluster to
create Planning Analytics Workspace
Distributed secrets, the
installation configures the pa-config-secret
service account.
If your storage provider requires that the ownership of mounted volumes be changed within the
container, the installation configures a service account called pa-allow-rootuid
that is used for all storage pods. The pa-allow-rootuid
service account must be
added to the appropriate security context object in your cluster that allows containers to run as
root.
Both of these service accounts are restricted to the Planning Analytics Workspace
Distributed project, which is
paw
by default. These service accounts are used only by the containers that are
associated with Planning Analytics Workspace
Distributed.
- The
pa-allow-rootuid
service account allows the Planning Analytics Workspace Distributed storage services to temporarily run as root so that correct file permissions can be set. After this step completes, the storage services run as a non-root user. - The
pa-config-secret
service accounts allow the installation to create secrets in the cluster. Secrets are created in the cluster by a configuration container that is run during the installation of Planning Analytics Workspace Distributed. The installation also configurespa-config-secret
role and role-binding objects that restrict the service account to manage only secrets within the Planning Analytics Workspace Distributed project.Note: Secrets configuration runs during the installation, it does not run as part of Planning Analytics Workspace Distributed itself.