To import a container package that was exported from another cluster, you might need to configure the appropriate permissions to access the files within the archive.

Required roles

To complete this task, you must have one of the following roles:

  • Cluster administrator
  • Instance administrator

Checkinh whether permission configuration is required

To check whether you need to configure permissions for importing:

  1. Connect to the source cluster and run the following command:

    oc get ns NAMESPACE -o=jsonpath='{@.metadata.annotations.openshift\.io/sa\.scc\.supplemental-groups}'

  2. Connect to the target cluster and run the same command.

  3. Compare the output values. If the output values are identical, no configuration is required. Otherwise, you must configure permissions.

    Note: Namespaces might be different between source and target clusters.

Configuring permissions

If you must configure permissions, complete these steps:

  1. Copy the first value of the source cluster output from step 1 of Checking whether configuration is required to the target cluster.

    Example: For 1000670000/10000, the necessary value is 1000670000.

  2. On the target cluster, run the following command. Replace SOURCE_USER_ID with the value that you obtained in the previous step.

    oc patch ccs ccs-cr --type merge --patch '{"spec": {"catalog_api_exim_properties_supplemental_groups": [SOURCE_USER_ID]}}' -n NAMESPACE

    By running the command, you trigger the operator to update the deployment. The status of the CCS-CR operator is updated to In Progress. When the status changes to Completed, you can run import jobs from the source or target cluster.

  3. Complete these steps for any source cluster where the output of the permission check.

Parent topic: Migrating catalog assets (IBM Knowledge Catalog)