Cluster-scoped permissions required by the Platform UI instance

The IBM Cloud Pak® for Integrationoperator requires various cluster-scoped permissions as part of its functionality.

  • List specific Consoles: Allows the IBM Cloud Pak for Integration operator to identify the URL derived from the host for the route that is created for the OpenShift web console.
    • API Groups: config.openshift.io
    • Resources: consoles
    • Verbs: get, list, watch
  • List specific ClusterVersions: Allows the IBM Cloud Pak for Integration operator to identify the OCP version that the cluster is reconciling towards.
    • API Groups: config.openshift.io
    • Resources: clusterversions
    • Verbs: get, list, watch
  • Manage ValidatingWebhookConfigurations: The IBM Cloud Pak for Integration operator uses validation webhooks to provide immediate validation and feedback about the creation and modification of Platform UI instances. The permission to manage webhooks is required for the operator to register these actions.
    • API Groups: admissionregistration.k8s.io
    • Resources: validatingwebhookconfigurations
    • Verbs: create, delete, get, update
  • Manage ConsoleYAMLSamples: ConsoleYAMLSamples are used to provide samples for the Cloud Pak for Integration resources in the OpenShift web console. The permission to manage ConsoleYAMLSamples is required for the operator to register the setting up of samples.
    • API Groups: console.openshift.io
    • Resources: consoleyamlsamples, consolequickstarts, consolelinks
    • Verbs: create, delete, get, update
  • List specific CustomResourceDefinitions: Required to allow the IBM Cloud Pak for Integration operator to give permissions to the Platform UI, in order to identify whether other optional dependencies have been installed into the cluster.
    • API Groups: apiextensions.k8s.io
    • Resources: customerresourcedefinitions
    • Verbs: get, list
  • Manage ClusterRoles and ClusterRoleBindings: The IBM Cloud Pak for Integration operator gives the Platform UI permissions to list CustomResourceDefinitions, which are cluster-scoped objects. These permissions must be created and managed as ClusterRoles. The permission to manage ClusterRoleBindings allows the operator to identify the appropriate ClusterRole created.
    • API Groups: rbac.authorization.k8s.io
    • Resources: clusterroles, clusterrolebindings
    • Verbs: create, delete, get, list, update, watch
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: integration.ibm.com
    • Resources: platformnavigators, operationsdashboards, assetrepositories, integrationassemblies, messagingservers, messagingqueues, messagingchannels, messagingusers
    • Verbs: get, list
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: mq.ibm.com
    • Resources: queuemanagers
    • Verbs: get, list
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: appconnect.ibm.com
    • Resources: dashboards, designerauthorings, integrationruntimes, integrationservers
    • Verbs: get, list
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: apiconnect.ibm.com
    • Resources: apiconnectclusters
    • Verbs: get, list
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: management.apiconnect.ibm.com
    • Resources: managementclusters
    • Verbs: get, list
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: eventendpointmanager.apiconnect.ibm.com
    • Resources: eventendpointmanagers
    • Verbs: get, list
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: hsts.aspera.ibm.com
    • Resources: ibmasperahstss
    • Verbs: get, list
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: eventstreams.ibm.com
    • Resources: eventstreams
    • Verbs: get, list
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: datapower.ibm.com
    • Resources: datapowerservices
    • Verbs: get, list
  • List instances: Required for managing versions and upgrades using the Platform UI.
    • API Groups: events.ibm.com
    • Resources: eventendpointmanagements, eventgateways
    • Verbs: get, list
  • Manage ClusterServiceVersions, Subscriptions, CatalogSources and Operators: Required for managing versions and upgrades using the Platform UI.
    • API Groups: operators.coreos.com
    • Resources: clusterserviceversions, subscriptions, catalogsources, operators
    • Verbs: get, list
  • List PackageManifests: Required for managing versions and upgrades using the Platform UI.
    • API Groups: packages.operators.coreos.com
    • Resources: packagemanifests
    • Verbs: list
  • Manage ConfigMaps: Required for managing versions and upgrades using the Platform UI.
    • API Groups: ""
    • Resources: configmaps
    • Verbs: create, delete, get, list, update, watch
  • Manage Routes: Required for editing the Platform UI route to use a custom hostname.
    • API Groups: route.openshift.io
    • Resources: routes/custom-host
    • Verbs: create, list, watch, delete, get, update
  • Read Storage Classes: Allows the IBM Cloud Pak for Integration operator to detect whether a default storage class has been set.
    • API Groups: ""
    • Resources: storageclasses
    • Verbs: get, list
  • Manage ValidatingAdmissionPolicies and ValidatingAdmissionPolicyBindings: Required for the Platform UI to manage these resources.
    • API Groups: ""
    • Resources: validatingadmissionpolicies, validatingadmissionpolicybindings
    • Verbs: create, update, watch, delete, list, get, patch