Roles and personas
Different roles, cluster roles, and levels of access are needed to deploy a fully functioning IBM Storage Scale container native cluster.
Personas
Red Hat OpenShift cluster administrator
A user with cluster administrator privileges needs to deploy the IBM Storage Scale container native cluster. Cluster admin privileges are needed in order to create higher privilege artifacts such as:
- Namespaces
- Custom Resource Definitions
- Cluster Roles and Cluster Role Bindings
- Security Context Constraints
By having the OpenShift cluster administrator execute the cluster deployment, the operator pod can be configured in a more restricted manner with minimal privilege.
IBM Storage Scale Storage cluster administrator
A user with privilege and access to configure the existing IBM Storage Scale storage cluster for remote access is also required for a successful deployment of an IBM Storage Scale container native cluster. Since the container native cluster utilizes remote mounts, the storage cluster admin must be able to execute commands against the storage cluster. For more information, see IBM Storage Scale storage cluster.
Lab administrator
A user with access to customer infrastructure and network is required to ensure a successful IBM Storage Scale container native cluster deployment. All OpenShift nodes that comprise the IBM Storage Scale container native cluster must be able to communicate with the remote IBM Storage Scale storage cluster. This may require a Lab Administrator to tune the customer network firewall to allow such communications. For more information, see Firewall recommendations.
Operator permissions
The IBM Storage Scale container native operator is a cluster-scoped operator. The operator watches all namespaces on the OpenShift cluster it is deployed into. Since the operator is cluster scoped, it requires access to cluster level resources to
successfully deploy. Access to cluster level resources is handled through a cluster role that is deployed via RBAC YAML files. The cluster role is bound to the custom ibm-spectrum-scale-operator
ServiceAccount, which the operator
uses to create the IBM Storage Scale container native cluster.
To view the permissions of the operator, use the following query on a system that has a deployed container native operator.
oc describe clusterrole ibm-spectrum-scale-operator
This command will list out every resource the operator has access to and what it can do with them.
Roles
Once a IBM Storage Scale container native cluster is operational, users can authenticate to the IBM Storage Scale container native GUI via existing OCP roles. For more information, see OpenShift users.