Role-based access control (RBAC)
All associated permissions (service accounts, roles, role bindings) we set up are shown below.
Service Accounts for IBM Industry Solutions Workbench
The following service accounts including the associated roles are created during the installation process:
| Service Account Name | Namespace of Service Account | Associated Roles / granted in Namespace |
|---|---|---|
| k5-admin-sa | install project (e.g. k5-tools) |
k5-admin-role (Role) / install project (e.g. k5-tools) |
| k5-admin-sa | k5 projects (e.g. dev-stage) |
admin (ClusterRole) / k5 projects (e.g. dev-stage) |
| k5-editor-sa | k5 projects (e.g. dev-stage) |
edit (ClusterRole) / k5 projects (e.g. dev-stage) |
| k5-operator-sa | install project (e.g. k5-tools) |
k5-admin-role (Role) / install project (e.g. k5-tools) k5-operator-role (Role) / install project (e.g. k5-tools) admin (ClusterRole) / k5 projects (e.g. dev-stage) (Applied manually) |
| k5-pipeline-sa | install project (e.g. k5-tools) |
k5-pipeline-role (Role) / install project (e.g. k5-tools) admin (ClusterRole) / k5 projects (e.g. dev-stage) (Applied manually) |
| k5-viewer-sa | install project (e.g. k5-tools) |
k5-viewer-role (Role) / install project (e.g. k5-tools) |
| k5-viewer-sa | k5 projects (e.g. dev-stage) |
view (ClusterRole) / k5 projects (e.g. dev-stage) |
Roles/ClusterRoles for IBM Industry Solutions Workbench
The following roles are created during the installation process:
| Role | Namespace of Role | ApiGroups | Resources | Verbs |
|---|---|---|---|---|
|
k5-admin-role k5-viewer-role |
install project (e.g. k5-tools) |
"" apps argoproj.io autoscaling image.openshift.io rbac.authorization.k8s.io route.openshift.io tekton.dev triggers.tekton.dev |
configmaps namespaces pods secrets (only k5-admin-role) services serviceaccounts deployments applications horizontalpodautoscalers imagestreams imagestreams/layers roles rolebindings routes pipelineresources pipelineruns pipelines taskruns tasks eventlisteners triggertemplates |
create (only k5-admin-role) delete (only k5-admin-role) get list patch (only k5-admin-role) update (only k5-admin-role) watch |
| k5-operator-role | install project (e.g. k5-tools) |
k5.project.operator k5.config |
k5clients k5dashboards k5pipelinemanagers k5projects k5realms k5topics |
create delete get list patch update watch |
| k5-pipeline-role | install project (e.g. k5-tools) |
"" image.openshift.io |
secrets configmaps imagestreams imagestreams/layers |
create get list patch update |
| k5-aggregate-admin-role | cluster-wide | k5.config | k5externalsecrets/status |
create delete get list patch update watch |
Role Bindings for existing Service Accounts for IBM Industry Solutions Workbench
The following role bindings for existing service accounts are created during the installation process:
| Service Account Name | Namespace of Service Account | Associated Roles / granted in Namespace |
|---|---|---|
| openshift-gitops-argocd-application-controller (required if OpenShift GitOps Operator is used | openshift-gitops |
admin (ClusterRole) / openshift-gitops |
Security Context Constraints (SCC) for IBM Industry Solutions Workbench
The following Security Context Constraints (SCC) are applied manually:
| Service Account Name | Namespace of Service Account | Associated SCC |
|---|---|---|
| k5-pipeline-sa | install project (e.g. k5-tools) | pipelines-scc |