diff --git a/image/cli/mascli/functions/must_gather b/image/cli/mascli/functions/must_gather index 1509f977409..a4e10d0058a 100644 --- a/image/cli/mascli/functions/must_gather +++ b/image/cli/mascli/functions/must_gather @@ -224,14 +224,6 @@ function mustgather() { echo "For help reviewing the content of the must gather refer to:" echo "https://www.ibm.com/support/pages/how-review-maximo-application-suite-must-gather" - if [ "$(oc whoami 2>/dev/null)" == "" ] ; then - echo_warning "You must be logged in to the server as a cluster administrator before running the must-gather command" - exit 1 - elif [ "$(oc get clusterrolebindings 2>&1 | grep forbidden)" != "" ] ; then - echo_warning "Your user does not appear to be a cluster administrator, you must be logged in to the server as a cluster administrator before running the must-gather command" - exit 1 - fi - # --------------------------------------------------------------------------- # Generate OCP Report # --------------------------------------------------------------------------- diff --git a/rbac/install/kustomization.yaml b/rbac/install/kustomization.yaml index e9550326c32..61bce4b6118 100644 --- a/rbac/install/kustomization.yaml +++ b/rbac/install/kustomization.yaml @@ -20,7 +20,10 @@ resources: - pipeline/db2u.yaml - pipeline/eck.yaml - pipeline/grafana5.yaml + - pipeline/ibm-cpd.yaml - pipeline/ibm-sls.yaml + - pipeline/kube-system.yaml + - pipeline/mas-x-app.yaml - pipeline/mas-x-core.yaml - pipeline/mas-x-pipelines.yaml - pipeline/mongoce.yaml @@ -29,6 +32,7 @@ resources: - pipeline/openshift-ingress.yaml - pipeline/openshift-marketplace.yaml - pipeline/openshift-monitoring.yaml + - pipeline/openshift-nfd.yaml - pipeline/openshift-operators.yaml - pipeline/openshift-user-workload-monitoring.yaml - pipeline/redhat-marketplace.yaml diff --git a/rbac/install/namespaces.yaml b/rbac/install/namespaces.yaml index 122ad9b588e..a2cf78197e2 100644 --- a/rbac/install/namespaces.yaml +++ b/rbac/install/namespaces.yaml @@ -32,7 +32,7 @@ metadata: apiVersion: v1 kind: Namespace metadata: - name: db2u + name: sls-{{ mas_instance_id }} --- apiVersion: v1 kind: Namespace @@ -48,3 +48,63 @@ apiVersion: v1 kind: Namespace metadata: name: openshift-pipelines +--- +apiVersion: v1 +kind: Namespace +metadata: + name: openshift-nfd +--- +apiVersion: v1 +kind: Namespace +metadata: + name: nvidia-gpu-operator +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ibm-cpd-operators +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ibm-cpd +--- +apiVersion: v1 +kind: Namespace +metadata: + name: db2u +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-manage +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-monitor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-health +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-predict +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-assist +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-visualinspection +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-iot diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index 665a4c6fec8..9702dac2818 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -11,6 +11,9 @@ subjects: - kind: ServiceAccount name: mas-{{ mas_instance_id }}-install-pipeline namespace: mas-{{ mas_instance_id }}-pipelines + - kind: ServiceAccount + name: pipeline + namespace: mas-{{ mas_instance_id }}-pipelines --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -106,3 +109,42 @@ rules: - create - patch - list + + # Creating routes with custom hostnames requires cluster-wide permission + - apiGroups: + - route.openshift.io + resources: + - routes/custom-host + verbs: + - create + - update + + # Nvidia GPU operator ClusterPolicy is cluster-scoped + - apiGroups: + - nvidia.com + resources: + - clusterpolicies + verbs: + - get + - list + - create + - patch + - update + - watch + + # Cloud Pak for Data requires wildcard permissions to delegate to namespace roles + # This allows CPD operators to create roles with any permissions within their namespaces + - apiGroups: + - "*" + resources: + - "*" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - impersonate diff --git a/rbac/install/pipeline/db2u.yaml b/rbac/install/pipeline/db2u.yaml index e690892eb4a..7c2ae71c521 100644 --- a/rbac/install/pipeline/db2u.yaml +++ b/rbac/install/pipeline/db2u.yaml @@ -94,6 +94,18 @@ rules: - create - patch - list + # DB2 setup requires pod exec access to copy files and run commands + - apiGroups: + - "" + resources: + - pods + - pods/log + - pods/exec + verbs: + - get + - list + - create + # DB2 requires cert-manager issuers and certificates for SSL - apiGroups: @@ -107,3 +119,15 @@ rules: - patch - list - watch + + + # DB2 requires routes for external access + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - create + - patch + - list diff --git a/rbac/install/pipeline/ibm-cpd.yaml b/rbac/install/pipeline/ibm-cpd.yaml new file mode 100644 index 00000000000..72fb8502c81 --- /dev/null +++ b/rbac/install/pipeline/ibm-cpd.yaml @@ -0,0 +1,129 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd-operators + namespace: ibm-cpd-operators +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd-operators +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd-operators + namespace: ibm-cpd-operators +rules: + # Cloud Pak for Data operator installation + - apiGroups: + - operators.coreos.com + resources: + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - create + - patch + # IBM entitlement key secret and service accounts + - apiGroups: + - "" + resources: + - secrets + - serviceaccounts + verbs: + - get + - list + - create + - patch + - update + # CPD operators need to create RBAC resources + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - patch + - update + - delete + # Grant wildcard permissions that CPD operators need to delegate + - apiGroups: + - "*" + resources: + - "*" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd + namespace: ibm-cpd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd + namespace: ibm-cpd +rules: + # Cloud Pak for Data instance management + - apiGroups: + - "" + resources: + - secrets + - configmaps + - serviceaccounts + verbs: + - get + - list + - create + - patch + - update + # CPD services and deployments + - apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - get + - list + - create + - patch + - update + # CPD routes + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - create + - patch + - update diff --git a/rbac/install/pipeline/ibm-sls.yaml b/rbac/install/pipeline/ibm-sls.yaml index d6056f700e5..711b6cd4279 100644 --- a/rbac/install/pipeline/ibm-sls.yaml +++ b/rbac/install/pipeline/ibm-sls.yaml @@ -52,3 +52,133 @@ rules: verbs: - create - patch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:sls-instance + namespace: sls-{{ mas_instance_id }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:sls-instance +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:sls-instance + namespace: sls-{{ mas_instance_id }} +rules: + # SLS instance namespace management + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - patch + + # SLS operator subscription requires operatorgroups + - apiGroups: + - operators.coreos.com + resources: + - operatorgroups + - subscriptions + - installplans + verbs: + - get + - list + - create + - patch + + # SLS requires secrets for entitlement keys and certificates + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - patch + - delete + + # SLS requires configmaps + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create + - patch + + # SLS requires service accounts + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - create + - patch + + # SLS instance creation and management + - apiGroups: + - sls.ibm.com + resources: + - licenseservices + verbs: + - get + - create + - patch + - list + - watch + + # SLS requires PVCs + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - create + - patch + - list + + # SLS requires services + - apiGroups: + - "" + resources: + - services + verbs: + - get + - create + - patch + + # SLS requires deployments and statefulsets + - apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - get + - create + - patch + - list + - watch + + # SLS requires routes for external access + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - create + - patch diff --git a/rbac/install/pipeline/kube-system.yaml b/rbac/install/pipeline/kube-system.yaml new file mode 100644 index 00000000000..59c83313ae9 --- /dev/null +++ b/rbac/install/pipeline/kube-system.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:kube-system + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:kube-system +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:kube-system + namespace: kube-system +rules: + # Some components may need to create secrets in kube-system + # This is typically for cluster-level configuration + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - patch + - update + # DaemonSets for system-level components (e.g., GPU drivers, monitoring agents) + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - create + - patch + - update diff --git a/rbac/install/pipeline/mas-x-app.yaml b/rbac/install/pipeline/mas-x-app.yaml new file mode 100644 index 00000000000..6224c1dabf7 --- /dev/null +++ b/rbac/install/pipeline/mas-x-app.yaml @@ -0,0 +1,183 @@ +--- +# Shared ClusterRole for all MAS Applications +# This ClusterRole is bound to each application namespace below +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +rules: + # Application installation requires namespace management + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - patch + + # Application operator subscription + - apiGroups: + - operators.coreos.com + resources: + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - create + - patch + + # Application requires secrets for entitlement keys and credentials + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - patch + - delete + + # Application requires service accounts + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - create + - patch + + # Application requires configmaps + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create + - patch + + # Application CRDs - all MAS application types + - apiGroups: + - apps.mas.ibm.com + resources: + - manageapps + - manageworkspaces + - healthapps + - predictapps + - assistapps + - visualinspectionapps + - iotapps + verbs: + - get + - create + - patch + - list + - watch +--- +# Maximo Manage Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-manage + namespace: mas-{{ mas_instance_id }}-manage +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Monitor Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-monitor + namespace: mas-{{ mas_instance_id }}-monitor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Health Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-health + namespace: mas-{{ mas_instance_id }}-health +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Predict Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-predict + namespace: mas-{{ mas_instance_id }}-predict +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Assist Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-assist + namespace: mas-{{ mas_instance_id }}-assist +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Visual Inspection Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-visualinspection + namespace: mas-{{ mas_instance_id }}-visualinspection +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# IoT Tool Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-iot + namespace: mas-{{ mas_instance_id }}-iot +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines diff --git a/rbac/install/pipeline/mas-x-core.yaml b/rbac/install/pipeline/mas-x-core.yaml index 949cdbc6e1e..75622cd8dc5 100644 --- a/rbac/install/pipeline/mas-x-core.yaml +++ b/rbac/install/pipeline/mas-x-core.yaml @@ -66,6 +66,8 @@ rules: - kafkacfgs - slscfgs - bascfgs + - idpcfgs + - smtpcfgs verbs: - get - create diff --git a/rbac/install/pipeline/openshift-nfd.yaml b/rbac/install/pipeline/openshift-nfd.yaml new file mode 100644 index 00000000000..a269c81f932 --- /dev/null +++ b/rbac/install/pipeline/openshift-nfd.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:openshift-nfd + namespace: openshift-nfd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:openshift-nfd +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:openshift-nfd + namespace: openshift-nfd +rules: + # Nvidia GPU operator installation requires operator subscription + - apiGroups: + - operators.coreos.com + resources: + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - create + - patch + # Node Feature Discovery CRD management + - apiGroups: + - nfd.openshift.io + resources: + - nodefeaturediscoveries + verbs: + - get + - list + - create + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:nvidia-gpu-operator + namespace: nvidia-gpu-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:nvidia-gpu-operator +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:nvidia-gpu-operator + namespace: nvidia-gpu-operator +rules: + # Nvidia GPU operator installation requires operator subscription + - apiGroups: + - operators.coreos.com + resources: + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - create + - patch