Table of contents

Creating projects (namespaces) on Red Hat OpenShift Container Platform

Before you install IBM® Cloud Pak for Data on Red Hat® OpenShift® Container Platform, a cluster administrator should create the OpenShift projects (Kubernetes namespaces) where you plan to deploy the Cloud Pak for Data software.

Permissions you need for this task
You must be a cluster administrator.
When you need to complete this task
You must complete this task the first time you install Cloud Pak for Data.

You might need to complete this task if you decide to install additional instances of Cloud Pak for Data on your cluster or decide to deploy a service in a tethered namespace.

About this task

For information on supported project configurations, see Deployment architecture.

Use the following table to determine which projects (namespaces) you need to create.

Project Description
ibm-common-services

(Recommended name, used in subsequent commands)
Required for all installations.

The project where IBM Cloud Pak® foundational services is installed.

If IBM Cloud Pak foundational services is already installed on your cluster, identify the project where it is installed.

If IBM Cloud Pak foundational services is not installed on your cluster, ibm-common-services is the recommended project name.

ibm-common-services is used in various installation commands.

If you want to install IBM Cloud Pak foundational services in a different project, you must create configmap. For details, see Installing IBM Cloud Pak foundational services in a custom namespace. (Using a different project is not recommended for typical installations.)

Additional software that might be installed in this project
Depending on the software that you plan to install and the installation method that you use, the following software might also be installed in the ibm-common-services project:
  • The IBM Cloud Pak for Data scheduling service

    If you need to install the scheduling service, it is recommended that you install it in the same project as IBM Cloud Pak foundational services.

  • The IBM Cloud Pak for Data platform operator

    If you decide to use the express installation method, the IBM Cloud Pak for Data platform operator will be installed in this project.

  • IBM Cloud Pak for Data service operators

    If you decide to use the express installation method, the service operators will be installed in this project.

cpd-operators

(Recommended name, used in subsequent commands)
Required for specialized installations.

cpd-operators is the recommended name and is used in various installation commands.

In a specialized installation, the IBM Cloud Pak foundational services operators are installed in the ibm-common-services project and the Cloud Pak for Data operators are installed in a separate project (typically cpd-operators). Each project has a dedicated:

  • Operator group, which specifies the OwnNamespace installation mode
  • NamespaceScope Operator, which allows the operators in the project to manage operators and service workloads in specific projects

In this way, you can specify different settings for the IBM Cloud Pak foundational services and for the Cloud Pak for Data operators.

cpd-instance

(Sample name, used in subsequent commands)
At least one project is required for all installations.

The project where the Cloud Pak for Data control plane is installed. (The Cloud Pak for Data control plane is installed in a separate project from the operators.)

If you plan to install multiple install multiple instances of Cloud Pak for Data, you must create one project for each instance.

cpd-instance is an example. You can use any project name. cpd-instance is used as a placeholder in various installation commands.

Most services are installed in the same project as the Cloud Pak for Data control plane. Review the documentation for the services that you plan to deploy to determine whether you must create any additional projects. For details, see Services.

cpd-instance-tether

(Sample name, used in subsequent commands)
Required or supported for some services.

A few services can be installed in tethered projects. A tethered project is managed by the Cloud Pak for Data control plane but is otherwise isolated from Cloud Pak for Data and the other services that are installed in that project.

cpd-instance-tether is an example. You can use any project name. cpd-instance-tether is used as a placeholder in various installation commands.

For information on which services can be installed in tethered projects, see Multitenancy support.

If you want to install a service in a tethered project, you must create the tethered project before you install the service.

After you decide which projects you need to create, review the following information to ensure that you understand the security considerations that you need to take into account:

Project Security considerations
ibm-common-services
Operator group
The ibm-common-services project uses the OwnNamespace installation mode. See the Procedure after this table for information on creating the operator group.
Namespace scope
The ibm-common-services project needs to be able to watch the project or projects where Cloud Pak for Data is deployed.

IBM Cloud Pak foundational services includes the IBM NamespaceScope Operator, which allows the operators in the ibm-common-services project to manage operators and service workloads in specific projects.

When you install Cloud Pak for Data or create a tethered namespace, you submit an operand request to grant permission to the operators in the ibm-common-services project to watch over the project (for example cpd-instance or cpd-instance-tether).

By default, the IBM NamespaceScope Operator has cluster permissions so that role binding projections can be completed automatically. However, you can optionally remove the cluster permissions from the IBM NamespaceScope Operator and manually authorize the projections. For details, see Authorizing foundational services to perform operations on workloads in a namespace.

SCCs
Follow the guidance Security context constraints (SCCs) in the IBM Cloud Pak foundational services documentation.
Express installations only
The Cloud Pak for Data control plane and most Cloud Pak for Data services use the restricted SCC.

However, a few services require custom SCCs. For details, see Custom security context constraints for services.

cpd-operators
Operator group
The cpd-operators project uses the OwnNamespace installation mode. See the Procedure after this table for information on creating the operator group.
Namespace scope
The cpd-operators project needs to be able to watch the project or projects where Cloud Pak for Data is deployed.

When you prepare your cluster, you create an operator subscription for the IBM NamespaceScope Operator in the cpd-operators project. The IBM NamespaceScope Operator allows the operators in the cpd-operators project to manage operators and service workloads in specific projects.

When you install Cloud Pak for Data or create a tethered namespace, you submit an operand request to grant permission to the operators in the cpd-operators project to watch over the project (for example cpd-instance or cpd-instance-tether).

By default, the IBM NamespaceScope Operator has cluster permissions so that role binding projections can be completed automatically. However, you can optionally remove the cluster permissions from the IBM NamespaceScope Operator and manually authorize the projections. For details, see Authorizing foundational services to perform operations on workloads in a namespace.

SCCs
The Cloud Pak for Data control plane and most Cloud Pak for Data services use the restricted SCC.

However, a few services require custom SCCs. For details, see Custom security context constraints for services.

cpd-instance
Operator group
Not applicable.
Namespace scope
Not applicable.
SCCs
The Cloud Pak for Data control plane and most Cloud Pak for Data services use the restricted SCC.

However, a few services require custom SCCs. For details, see Custom security context constraints for services.

cpd-instance-tether
Operator group
Not applicable.
Namespace scope
Not applicable.
SCCs
The Cloud Pak for Data control plane and most Cloud Pak for Data services use the restricted SCC.

However, a few services require custom SCCs. For details, see Custom security context constraints for services.

Procedure

To create the necessary projects for your environment:

  1. Log in to your Red Hat OpenShift Container Platform as a cluster administrator:
    oc login OpenShift:port
  2. Create the appropriate projects for your environment.
    Important: Review the guidance in About this task to ensure that you create the appropriate projects for your environment.
    Project name Command to create
    ibm-common-services
    oc new-project ibm-common-services
    cpd-operators
    oc new-project cpd-operators
    cpd-instance
    Remember: cpd-instance is a sample name. If you don't want to use this name, replace cpd-instance with the appropriate name for your environment. You must also replace this name in subsequent commands.
    oc new-project cpd-instance
    cpd-instance-tether
    Remember: cpd-instance-tether is a sample name. If you don't want to use this name, replace cpd-instance-tether with the appropriate name for your environment. You must also replace this name in subsequent commands.
    oc new-project cpd-instance-tether
  3. Create the appropriate operator groups based on the type of installation method you are using:
      1. If IBM Cloud Pak foundational services is not installed, create the operator group for the IBM Cloud Pak foundational services project. The following example uses the recommended project name (ibm-common-services):
        cat <<EOF |oc apply -f -
        apiVersion: operators.coreos.com/v1alpha2
        kind: OperatorGroup
        metadata:
          name: operatorgroup
          namespace: ibm-common-services
        spec:
          targetNamespaces:
          - ibm-common-services
        EOF
      1. If IBM Cloud Pak foundational services is not installed, create the operator group for the IBM Cloud Pak foundational services project. The following example uses the recommended project name (ibm-common-services):
        cat <<EOF |oc apply -f -
        apiVersion: operators.coreos.com/v1alpha2
        kind: OperatorGroup
        metadata:
          name: operatorgroup
          namespace: ibm-common-services
        spec:
          targetNamespaces:
          - ibm-common-services
        EOF
      2. Create the operator group for the IBM Cloud Pak for Data platform operator project. The following example uses the recommended project name (cpd-operators):
        cat <<EOF |oc apply -f -
        apiVersion: operators.coreos.com/v1alpha2
        kind: OperatorGroup
        metadata:
          name: operatorgroup
          namespace: cpd-operators
        spec:
          targetNamespaces:
          - cpd-operators
        EOF