Reauthorizing the NamespaceScope operator with the minimum RBAC (Upgrading from Version 5.2 to Version 5.4)

If you gave the NamespaceScope operator the minimum role-based access control (RBAC) when you installed IBM® Software Hub, you must update the role that is assigned to the operator so that the operator has sufficient privileges to help operators populate roles from the operator project to the instance project.

Upgrade phase
  • You are not here. Updating your client workstation
  • You are not here. Collecting required information
  • You are not here. Preparing to run an upgrade in a restricted network
  • You are not here. Preparing to run an upgrade from a private container registry
  • You are not here. Upgrading prerequisite software
  • You are not here. Upgrading shared cluster components
  • You are here icon. Preparing to upgrade an instance
  • You are not here. Upgrading an instance
  • You are not here. Setting up IBM Software Hub
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?
  • If you ran the authorize-instance-topology command when you installed IBM Software Hub, you can skip this task.
  • If you gave the NamespaceScope operator the minimum role-based access control (RBAC), you must complete this task to give the operator sufficient privileges on the instance.

    Repeat as needed If you have multiple instances of IBM Software Hub, you must repeat this task for each instance of IBM Software Hub that you plan to upgrade.

Before you begin

Best practice: You can run the commands in this task exactly as written using the installation environment variables. Ensure that you added the new environment variables from Updating your environment variables script.

In addition, ensure that you source the environment variables before you run the commands in this task.

To confirm whether the NamespaceScope operator is using the minimum RBAC, run the following command:

oc get role nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} \
-n ${PROJECT_CPD_INST_OPERATORS} \
-o json | jq 'any(.rules[].apiGroups[]; . == "*")'
  • If the command returns true, the operator does not need to be reauthorized.
  • If the command returns false, the operator is using the minimum RBAC and must be reauthorized.

About this task

Use the show-minimum-rbac command to generate the YAML file that you can use to give the NamespaceScope operator the minimum RBAC to help operators populate roles from the operator project to the instance project.

You must regenerate and reapply the roles that are assigned to NamespaceScope operator so that the operator has sufficient privileges.

Procedure

  1. Log the cpd-cli in to the Red Hat® OpenShift® Container Platform cluster: 
    ${CPDM_OC_LOGIN}
    Remember: CPDM_OC_LOGIN is an alias for the cpd-cli manage login-to-ocp command.
  2. Run the cpd-cli manage show-minimum-rbac command to generate the YAML files that you can use to create the roles with the minimum RBAC for the NamespaceScope operator: 
    cpd-cli manage show-minimum-rbac \
--cpd_operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--components=${COMPONENTS} \
--release=${VERSION} \
--patch_id=${PATCH_ID}
    The command generates the following YAML file in the work directory:
    • nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml
  3. Change to the work directory.
  4. Create the nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role from the YAML nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml file:
    1. Create the nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role in the operators project for the instance: 
      oc apply \
-f nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml \
--namespace=${PROJECT_CPD_INST_OPERATORS}
    2. Create the nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role in the operands project for the instance: 
      oc apply \
-f nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml \
--namespace=${PROJECT_CPD_INST_OPERANDS}
    3. Create the nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS} role in any tethered projects for the instance: 
      oc apply \
-f nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}.yaml \
--namespace=${PROJECT_CPD_INSTANCE_TETHERED}
      Repeat this step for each tethered project that is associated with this instance of IBM Software Hub.
      Tip: If you set the PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print the list of tethered projects to the terminal:
      echo $PROJECT_CPD_INSTANCE_TETHERED_LIST

      Use this information to set the PROJECT_CPD_INSTANCE_TETHERED environment variable before you re-run the command.

  5. Create the role bindings:
    1. Create the role binding in the operators project for the instance: 
      oc apply -f - << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
  namespace: ${PROJECT_CPD_INST_OPERATORS}
  labels:
    managed-by: nss
subjects:
- kind: ServiceAccount
  name: ibm-namespace-scope-operator
  namespace: ${PROJECT_CPD_INST_OPERATORS}
roleRef:
  kind: Role
  name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
  apiGroup: rbac.authorization.k8s.io
EOF
    2. Create the role binding in the operands project for the instance: 
      oc apply -f - << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
  namespace: ${PROJECT_CPD_INST_OPERANDS}
  labels:
    managed-by: nss
subjects:
- kind: ServiceAccount
  name: ibm-namespace-scope-operator
  namespace: ${PROJECT_CPD_INST_OPERATORS}
roleRef:
  kind: Role
  name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
  apiGroup: rbac.authorization.k8s.io
EOF
    3. Create the role binding in any tethered projects for the instance: 
      oc apply -f - << EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
  namespace: ${PROJECT_CPD_INSTANCE_TETHERED}
  labels:
    managed-by: nss
subjects:
- kind: ServiceAccount
  name: ibm-namespace-scope-operator
  namespace: ${PROJECT_CPD_INST_OPERATORS}
roleRef:
  kind: Role
  name: nss-managed-role-from-${PROJECT_CPD_INST_OPERATORS}
  apiGroup: rbac.authorization.k8s.io
EOF
      Repeat this step for each tethered project that is associated with this instance of IBM Software Hub.
      Tip: If you set the PROJECT_CPD_INSTANCE_TETHERED_LIST environment variable, print the list of tethered projects to the terminal:
      echo $PROJECT_CPD_INSTANCE_TETHERED_LIST

      Use this information to set the PROJECT_CPD_INSTANCE_TETHERED environment variable before you re-run the command.

What to do next

Now that you've updated the permissions on the NamespaceScope operator , you're ready to complete Reauthorizing an instance administrator with the minimum RBAC to upgrade components (Upgrading from Version 5.2 to Version 5.4).