openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/olmv1-creating-a-cluster-role.adoc
Michael Ryan Peter b8491a1264 OSDOCS#12884[4.18][OLMv1]Create RBAC to manage and install ce
2025-02-18 17:17:16 +00:00

347 lines
8.2 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * extensions/ce/managing-ce.adoc
:_mod-docs-content-type: PROCEDURE
[id="olmv1-creating-a-cluster-role_{context}"]
= Creating a cluster role for an extension
You must review the `install.spec.clusterpermissions` stanza of the cluster service version (CSV) and the manifests of an extension carefully to define the required role-based access controls (RBAC) of the extension that you want to install. You must create a cluster role by copying the required RBAC from the CSV to the new manifest.
[TIP]
====
If you want to test the process for installing and updating an extension in {olmv1}, you can use the following cluster role to grant cluster administrator permissions. This manifest is for testing purposes only. It should not be used in production clusters.
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: <extension>-installer-clusterrole
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
----
====
The following procedure uses the `openshift-pipelines-operator-rh.clusterserviceversion.yaml` file of the {pipelines-title} Operator as an example. The examples include excerpts of the RBAC required to install and manage the {pipelines-shortname} Operator. For a complete manifest, see "Example cluster role for the {pipelines-title} Operator".
include::snippets/olmv1-manual-rbac-scoping-admonition.adoc[]
.Prerequisites
* Access to an {product-title} cluster using an account with `cluster-admin` permissions.
* You have downloaded the manifests in the image reference of the extension that you want to install.
.Procedure
. Create a new cluster role manifest, similar to the following example:
+
.Example `<extension>-cluster-role.yaml` file
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: <extension>-installer-clusterrole
----
. Edit your cluster role manifest to include permission to update finalizers on the extension, similar to the following example:
+
.Example <extension>-cluster-role.yaml
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pipelines-installer-clusterrole
rules:
- apiGroups:
- olm.operatorframework.io
resources:
- clusterextensions/finalizers
verbs:
- update
# Scoped to the name of the ClusterExtension
resourceNames:
- <metadata_name> # <1>
----
<1> Specifies the value from the `metadata.name` field from the custom resource (CR) of the extension.
. Search for the `clusterrole` and `clusterrolebindings` values in the `rules.resources` field in the extension's CSV file.
** Copy the API groups, resources, verbs, and resource names to your manifest, similar to the following example:
+
.Example cluster role manifest
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pipelines-installer-clusterrole
rules:
# ...
# ClusterRoles and ClusterRoleBindings for the controllers of the extension
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- create # <1>
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- get
- update
- patch
- delete
resourceNames: # <2>
- "*"
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- create
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- get
- update
- patch
- delete
resourceNames:
- "*"
# ...
----
<1> You cannot scope `create`, `list`, and `watch` permissions to specific resource names (the `resourceNames` field). You must scope these permissions to their resources (the `resources` field).
<2> Some resource names are generated by using the following format: `<package_name>.<hash>`. After you install the extension, look up the resource names for the cluster roles and cluster role bindings for the controller of the extension. Replace the wildcard characters in this example with the generated names and follow the principle of least privilege.
. Search for the `customresourcedefinitions` value in the `rules.resources` field in the extension's CSV file.
** Copy the API groups, resources, verbs, and resource names to your manifest, similar to the following example:
+
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pipelines-installer-clusterrole
rules:
# ...
# Custom resource definitions of the extension
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- update
- patch
- delete
resourceNames:
- manualapprovalgates.operator.tekton.dev
- openshiftpipelinesascodes.operator.tekton.dev
- tektonaddons.operator.tekton.dev
- tektonchains.operator.tekton.dev
- tektonconfigs.operator.tekton.dev
- tektonhubs.operator.tekton.dev
- tektoninstallersets.operator.tekton.dev
- tektonpipelines.operator.tekton.dev
- tektonresults.operator.tekton.dev
- tektontriggers.operator.tekton.dev
# ...
----
. Search the CSV file for stanzas with the `permissions` and `clusterPermissions` values in the `rules.resources` spec.
** Copy the API groups, resources, verbs, and resource names to your manifest, similar to the following example:
+
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pipelines-installer-clusterrole
rules:
# ...
# Excerpt from install.spec.clusterPermissions
- apiGroups:
- ''
resources:
- nodes
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- pods/log
- limitranges
verbs:
- create
- list
- watch
- delete
- deletecollection
- patch
- get
- update
- apiGroups:
- extensions
- apps
resources:
- ingresses
- ingresses/status
verbs:
- create
- list
- watch
- delete
- patch
- get
- update
# ...
----
. Search the CSV file for resources under the `install.spec.deployments` stanza.
** Copy the API groups, resources, verbs, and resource names to your manifest, similar to the following example:
+
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pipelines-installer-clusterrole
rules:
# ...
# Excerpt from install.spec.deployments
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- update
- patch
- delete
# scoped to the extension controller deployment name
resourceNames:
- openshift-pipelines-operator
- tekton-operator-webhook
# ...
----
. Search for the `services` and `configmaps` values in the `rules.resources` field in the extension's CSV file.
** Copy the API groups, resources, verbs, and resource names to your manifest, similar to the following example:
+
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pipelines-installer-clusterrole
rules:
# ...
# Services
- apiGroups:
- ""
resources:
- services
verbs:
- create
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- update
- patch
- delete
# scoped to the service name
resourceNames:
- openshift-pipelines-operator-monitor
- tekton-operator
- tekton-operator-webhook
# configmaps
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- patch
- delete
# scoped to the configmap name
resourceNames:
- config-logging
- tekton-config-defaults
- tekton-config-observability
- tekton-operator-controller-config-leader-election
- tekton-operator-info
- tekton-operator-webhook-config-leader-election
- apiGroups:
- operator.tekton.dev
resources:
- tekton-config-read-role
- tekton-result-read-role
verbs:
- get
- watch
- list
----
. Add the cluster role manifest to the cluster by running the following command:
+
[source,terminal]
----
$ oc apply -f <extension>-installer-clusterrole.yaml
----
+
.Example command
[source,terminal]
----
$ oc apply -f pipelines-installer-clusterrole.yaml
----
View Git Blame Copy Permalink