Role-based access control (RBAC) autorization overview

All associated permissions (service accounts, roles, rolebindings) we set up additionally to the cpd installation are shown below.

Important: We do not grant any Role/ClusterRole at cluster scope.

Service Accounts overview

The following service accounts including the associated roles are created during the installation process:

Service Account Name Namespace of Service Account Associated Roles / Granted in Namespace
k5-operator-sa cpd project (e.g. zen)

cpd-admin-role (Role) / cpd project (e.g. zen)

cpd-viewer-role (Role) / cpd project (e.g. zen)

edit (ClusterRole) / k5 projects (e.g. dev-stage)

admin (ClusterRole) / k5 projects (e.g. dev-stage)

k5-s3-storage cpd project (e.g. zen) -
k5-admin-sa k5 projects (e.g. dev-stage)

k5-leases-role (Role) / k5 projects (e.g. dev-stage)

k5-imagestreams-pipeline-manager-role (Role - optional) / k5 projects (e.g. dev-stage)

admin (ClusterRole) / k5 projects (e.g. dev-stage)

k5-editor-sa k5 projects (e.g. dev-stage)

edit (ClusterRole) / k5 projects (e.g. dev-stage)

k5-viewer-sa k5 projects (e.g. dev-stage)

k5-viewer-secrets-role (Role) / k5 projects (e.g. dev-stage)

view (ClusterRole) / k5 projects (e.g. dev-stage)

The following existing service accounts are used. The shown roles are additionally associated to the existing service accounts during the installation process:

Service Account Name Namespace of Service Account Associated Roles / Granted in Namespace
cpd-admin-sa cpd project (e.g. zen)

cpd-admin-additional-role (Role) / cpd project (e.g. zen)

admin (ClusterRole) / k5 projects (e.g. dev-stage)

cpd-editor-sa cpd project (e.g. zen)

edit (ClusterRole) / k5 projects (e.g. dev-stage)

cpd-viewer-sa cpd project (e.g. zen)

view (ClusterRole) / cpd project (e.g. zen)

view (ClusterRole) / k5 projects (e.g. dev-stage)

pipeline k5 projects (e.g. dev-stage)

k5-imagestreams-pipeline-role (Role) / k5 projects (e.g. dev-stage)

For every created "Build and Deploy" pipeline an own service account with the following configuration is created:

Service Account Name Namespace of Service Account Associated Roles / Granted in Namespace
k5-pipeline-solution-acronym-suffix (e.g. k5-pipeline-solution1-mxqs03) k5 project (e.g. dev-stage)

edit (ClusterRole) / k5 project (e.g. dev-stage)

Roles/ClusterRoles overview

The following permissions are added to the already existing OpenShift ClusterRoles using the OpenShift aggregate mechanism:

ClusterRole ApiGroups Resources Verbs
admin k5.project.operator "*"

create

delete

deletecollection

get

list

patch

update

watch

admin env.rt.cp.knowis.de envoys

create

delete

deletecollection

get

list

patch

update

watch

admin sol.rt.cp.knowis.de solutions

create

delete

deletecollection

get

list

patch

update

watch

admin coordination.k8s.io leases

"*"

edit k5.project.operator "*"

create

delete

deletecollection

get

list

patch

update

watch

edit env.rt.cp.knowis.de envoys

create

delete

deletecollection

get

list

patch

update

watch

edit sol.rt.cp.knowis.de solutions

create

delete

deletecollection

get

list

patch

update

watch

view k5.project.operator "*"

get

list

watch

view env.rt.cp.knowis.de envoys

get

list

watch

view sol.rt.cp.knowis.de solutions

get

list

watch

The following roles are created during the installation process:

Role Namespace of Role ApiGroups Resources Verbs
cpd-admin-additional-role cpd project (e.g. zen)

""

route.openshift.io

pods/portforward

routes

create

delete

exec

get

list

patch

update

watch

k5-leases-role k5 project (e.g. dev-stage)

coordination.k8s.io

leases

create

get

list

patch

update

watch

k5-viewer-secrets-role k5 project (e.g. dev-stage)

""

secrets

get

list

watch

k5-imagestreams-pipeline-manager-role k5 project (e.g. dev-stage)

""

image.openshift.io

imagestreams

get

list

watch

k5-imagestreams-pipeline-manager-role k5 project (e.g. dev-stage)

""

image.openshift.io

imagestreams/layers

get

k5-imagestreams-pipeline-role k5 project (e.g. dev-stage)

""

image.openshift.io

imagestreams

imagestreams/layers

get