Configure Red Hat® OpenShift security

To enable the OpenShift® cluster to create Planning Analytics Workspace Distributed secrets, the installation configures the pa-config-secret service account.

If your storage provider requires that the ownership of mounted volumes be changed within the container, the installation configures a service account called pa-allow-rootuid that is used for all storage pods. The pa-allow-rootuid service account must be added to the appropriate security context object in your cluster that allows containers to run as root.

Both of these service accounts are restricted to the Planning Analytics Workspace Distributed project, which is paw by default. These service accounts are used only by the containers that are associated with Planning Analytics Workspace Distributed.

  1. The pa-allow-rootuid service account allows the Planning Analytics Workspace Distributed storage services to temporarily run as root so that correct file permissions can be set. After this step completes, the storage services run as a non-root user.
  2. The pa-config-secret service accounts allow the installation to create secrets in the cluster. Secrets are created in the cluster by a configuration container that is run during the installation of Planning Analytics Workspace Distributed. The installation also configures pa-config-secret role and role-binding objects that restrict the service account to manage only secrets within the Planning Analytics Workspace Distributed project.
    Note: Secrets configuration runs during the installation, it does not run as part of Planning Analytics Workspace Distributed itself.