Prerequisites

Before you install IBM Operational Decision Manager on Certified Kubernetes, make sure that you install the necessary software and prepare your cluster.

For more information about the level of integration with third-party Certified Kubernetes environments, see the Support statement.

Software requirements

The following software is required.

Docker: For the supported versions, see the detailed system requirements.
Kubernetes: For the supported versions, see the detailed system requirements.
Helm: For the supported versions, see the detailed system requirements.

Persistence requirements

Operational Decision Manager must persist data in a database. You have three ways to persist the data: use the PostgreSQL internal database, use a supported external database, or use a custom external database. For more information, see Configuring the database.

PersistentVolume

If you are using the internal database without dynamic provisioning (parameters internalDatabase.persistence.enabled=true and internalDatabase.persistence.dynamicProvisioning=false), one PersistentVolume must be created before to installing the chart. If you prefer to use an external database, make sure to create an instance of the external database.

For more information, see Preparing to install IBM Operational Decision Manager.

Database Credentials Secret

To preserve sensitive data, you must create a secret that encapsulates the database user and password before you install the Helm release.

Specify the name of the secret as the value for the parameters internalDatabase.secretCredentials or externalDatabase.secretCredentials, depending on the type of database you use.

For more information, see Preparing to install IBM Operational Decision Manager.

Security requirements

New in 8.10.5 ServiceAccount requirements

By default, the Helm chart creates and uses a custom service account that is named release_name-ibm-odm-dev-service-account for a developer edition, or release_name-ibm-odm-prod-service-account for a production installation. Depending on your cluster configuration, the service account must be granted the appropriate PodSecurityPolicy or SecurityContextConstraints.

PodSecurityPolicy requirements (for any Certified Kubernetes platform except OpenShift)

The Helm chart requires a PodSecurityPolicy to be bound to the target namespace before installation. To meet this requirement, a specific cluster and namespace might have to be scoped by a cluster administrator. The predefined PodSecurityPolicy name ibm-restricted-psp is verified for this chart. If your target namespace is bound to this PodSecurityPolicy, you can proceed to install the chart.

For 8.10.4 However, if you use an internal database (internalDatabase.persistence.enabled=true), the previous PodSecurityPolicy is too restrictive. At least one of the other policies must be used: ibm-anyuid-psp, ibm-anyuid-hostpath-psp, ibm-anyuid-hostaccess-psp, or ibm-privileged-psp.

Red Hat OpenShift SecurityContextConstraints requirements

The Helm chart requires SecurityContextConstraints to be bound to the serviceAccount before installation. A cluster administrator can either bind the SecurityContextConstraints to the target namespace or to the serviceAccount specifically. See Preparing to install IBM Operational Decision Manager for how to execute this task.

For 8.10.5 The predefined SecurityContextConstraints name restricted is verified for this chart.

For 8.10.4 The predefined SecurityContextConstraints name ibm-restricted-scc is verified for this chart. However, if you use an internal database (internalDatabase.persistence.enabled=true), the previous SecurityContextConstraints is too restrictive. At least one of the other policies must be used: ibm-anyuid-scc, ibm-anyuid-hostpath-scc, ibm-anyuid-hostaccess-scc, or ibm-privileged-scc.

For more information, see Preparing to install IBM Operational Decision Manager.