Role-based access control (RBAC) overview

All associated permissions (service accounts, roles, role bindings) we set up additionally to the CPD installation are shown below.

Important: We do not grant any Role/ClusterRole at cluster scope.

Service Accounts for IBM Financial Services Workbench

The following service accounts including the associated roles are created during the installation process:


Service Account Name	Namespace of Service Account	Associated Roles / granted in Namespace
k5-operator-sa	cpd project (e.g. zen)	cpd-admin-role (Role) / cpd project (e.g. zen) cpd-viewer-role (Role) / cpd project (e.g. zen) edit (ClusterRole) / k5 projects (e.g. dev-stage) admin (ClusterRole) / k5 projects (e.g. dev-stage)
k5-s3-storage	cpd project (e.g. zen)	-
k5-admin-sa	k5 projects (e.g. dev-stage)	k5-leases-role (Role) / k5 projects (e.g. dev-stage) k5-imagestreams-pipeline-manager-role (Role - optional) / k5 projects (e.g. dev-stage) admin (ClusterRole) / k5 projects (e.g. dev-stage)
k5-editor-sa	k5 projects (e.g. dev-stage)	edit (ClusterRole) / k5 projects (e.g. dev-stage)
k5-viewer-sa	k5 projects (e.g. dev-stage)	k5-viewer-secrets-role (Role) / k5 projects (e.g. dev-stage) view (ClusterRole) / k5 projects (e.g. dev-stage)

The following existing service accounts are used. The shown roles are additionally associated to the existing service accounts during the installation process:


Service Account Name	Namespace of Service Account	Associated Roles / granted in Namespace
cpd-admin-sa	cpd project (e.g. zen)	cpd-admin-additional-role (Role) / cpd project (e.g. zen) admin (ClusterRole) / k5 projects (e.g. dev-stage)
cpd-editor-sa	cpd project (e.g. zen)	edit (ClusterRole) / k5 projects (e.g. dev-stage)
cpd-viewer-sa	cpd project (e.g. zen)	view (ClusterRole) / cpd project (e.g. zen) view (ClusterRole) / k5 projects (e.g. dev-stage)
pipeline	k5 projects (e.g. dev-stage)	k5-imagestreams-pipeline-role (Role) / k5 projects (e.g. dev-stage)

For every created "Build and Deploy" pipeline an own service account with the following configuration is created:


Service Account Name	Namespace of Service Account	Associated Roles / granted in Namespace
k5-pipeline-`solution-acronym`-`suffix` (e.g. k5-pipeline-solution1-mxqs03)	k5 project (e.g. dev-stage)	edit (ClusterRole) / k5 project (e.g. dev-stage)

Roles/ClusterRoles for IBM Financial Services Workbench

The following permissions are added to the already existing OpenShift ClusterRoles using the OpenShift aggregate mechanism:


ClusterRole	ApiGroups	Resources	Verbs
admin	k5.project.operator	"*"	create delete deletecollection get list patch update watch
admin	env.rt.cp.knowis.de	envoys	create delete deletecollection get list patch update watch
admin	sol.rt.cp.knowis.de	solutions	create delete deletecollection get list patch update watch
admin	coordination.k8s.io	leases	"*"
edit	k5.project.operator	"*"	create delete deletecollection get list patch update watch
edit	env.rt.cp.knowis.de	envoys	create delete deletecollection get list patch update watch
edit	sol.rt.cp.knowis.de	solutions	create delete deletecollection get list patch update watch
view	k5.project.operator	"*"	get list watch
view	env.rt.cp.knowis.de	envoys	get list watch
view	sol.rt.cp.knowis.de	solutions	get list watch

The following roles are created during the installation process:


Role	Namespace of Role	ApiGroups	Resources	Verbs
cpd-admin-additional-role	cpd project (e.g. zen)	"" route.openshift.io	pods/portforward routes	create delete exec get list patch update watch
k5-leases-role	k5 project (e.g. dev-stage)	coordination.k8s.io	leases	create get list patch update watch
k5-viewer-secrets-role	k5 project (e.g. dev-stage)	""	secrets	get list watch
k5-imagestreams-pipeline-manager-role	k5 project (e.g. dev-stage)	"" image.openshift.io	imagestreams	get list watch
k5-imagestreams-pipeline-manager-role	k5 project (e.g. dev-stage)	"" image.openshift.io	imagestreams/layers	get
k5-imagestreams-pipeline-role	k5 project (e.g. dev-stage)	"" image.openshift.io	imagestreams imagestreams/layers	get