openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/olmv1-cluster-extension-permissions.adoc
Michael Ryan Peter b8491a1264 OSDOCS#12884[4.18][OLMv1]Create RBAC to manage and install ce
2025-02-18 17:17:16 +00:00

21 lines
1.5 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * extensions/ce/managing-ce.adoc
:_mod-docs-content-type: CONCEPT
[id="olmv1-cluster-extension-permissions_{context}"]
= Cluster extension permissions
In {olmv0-first}, a single service account with cluster administrator privileges manages all cluster extensions.
{olmv1} is designed to be more secure than {olmv0} by default. {olmv1} manages a cluster extension by using the service account specified in an extension's custom resource (CR). Cluster administrators can create a service account for each cluster extension. As a result, administrators can follow the principle of least privilege and assign only the role-based access controls (RBAC) to install and manage that extension.
You must add each permission to either a cluster role or role. Then you must bind the cluster role or role to the service account with a cluster role binding or role binding.
You can scope the RBAC to either the cluster or to a namespace. Use cluster roles and cluster role bindings to scope permissions to the cluster. Use roles and role bindings to scope permissions to a namespace. Whether you scope the permissions to the cluster or to a namespace depends on the design of the extension you want to install and manage.
include::snippets/olmv1-manual-rbac-scoping-admonition.adoc[]
If a new version of an installed extension requires additional permissions, {olmv1} halts the update process until a cluster administrator grants those permissions.
View Git Blame Copy Permalink