By default, a cluster administrator must install the scheduling service. However, you can optionally give
another user the minimum role-based access control (RBAC) that is needed to install the scheduling service.
- Who needs to complete this task?
-
Cluster administrator A cluster administrator must
complete this task.
- When do you need to complete this task?
-
Complete this task only if you want to enable another user to install the scheduling service without giving the user the
cluster-admin role.
Restriction: You cannot use the minimum RBAC to upgrade the scheduling service from Cloud Pak for Data Version 4.5 or Version 4.6. The minimum RBAC is
supported only for customers on Version 4.7.2 or later.
Before you begin
Best practice: You can run many of the
commands in this task exactly as written if you set up environment variables for your installation.
For instructions, see
Setting up installation environment variables.
Ensure that you source the
environment variables before you run the commands in this task.
About this task
Use the show-minimum-rbac command to generate the YAML
files that you can use to give a user the minimum RBAC to install the scheduling service.
Important: This task is recommended only for customers with extremely rigid security
requirements. It is not recommended for most customers because it requires additional planning and
maintenance.
You must re-run the show-minimum-rbac command
each time you plan to install a newer version of the scheduling service to ensure that the user has sufficient
permissions to manage the resources that are associated with the scheduling service.
Procedure
-
Log the
cpd-cli in to the
Red Hat®
OpenShift® Container Platform cluster:
Remember:
CPDM_OC_LOGIN is an alias for the cpd-cli
manage
login-to-ocp command.
- Set the
ROLE_NAME environment variable to a
unique identifier for the role.
The name must meet the following requirements:
- Start with an alphanumeric character
- Contain only alphanumeric characters and dashes (-)
- Be a maximum of 20 characters
export ROLE_NAME=<role_name>
- Run the
cpd-cli
manage
show-minimum-rbac command to generate the YAML files that you can use
to create the roles with the minimum RBAC for the scheduling service:
cpd-cli manage show-minimum-rbac \
--components=scheduler \
--release=${VERSION} \
--role_name=${ROLE_NAME}
The command generates the following YAML files in the
work directory:
${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml
- Change to the
work
directory.
- Create the roles from the YAML files:
- Create the
${ROLE_NAME}-cpd-instance-admin role in the project
where scheduling service will be installed:
oc create \
-f ${ROLE_NAME}-cpd-instance-admin.${VERSION}.yaml \
--namespace=${PROJECT_SCHEDULING_SERVICE}
- Create the
${ROLE_NAME}-cpd-instance-crs role in the project where
scheduling service will be installed:
oc create \
-f ${ROLE_NAME}-cpd-instance-crs.${VERSION}.yaml \
--namespace=${PROJECT_SCHEDULING_SERVICE}
- Set the
SCHEDULING_ADMIN environment variable to the
username of the Red Hat
OpenShift Container Platform user that you
want to give administration privileges to.
export SCHEDULING_ADMIN=<user>
- Assign the user the roles in the project where the scheduling service will be installed:
Tip: The following steps use the oc adm policy
add-role-to-user <role-name> <user-name> command. Alternatively, you can use the
oc adm policy add-role-to-group <role-name> <group-name> command to authorize
a group of Red Hat
OpenShift Container Platform users.
- Assign the user the
${ROLE_NAME}-cpd-instance-admin role:
oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-admin ${SCHEDULING_ADMIN} \
--namespace=${PROJECT_SCHEDULING_SERVICE} \
--role-namespace=${PROJECT_SCHEDULING_SERVICE}
- Assign the user the
${ROLE_NAME}-cpd-instance-crs role:
oc adm policy add-role-to-user ${ROLE_NAME}-cpd-instance-crs ${SCHEDULING_ADMIN} \
--namespace=${PROJECT_SCHEDULING_SERVICE} \
--role-namespace=${PROJECT_SCHEDULING_SERVICE}