Role-based access control (RBAC)
All associated permissions (service accounts, roles, role bindings) we set up additionally to the CPD installation are shown below.
Service Accounts for IBM Financial Services Workbench
The following service accounts including the associated roles are created during the installation process:
| Service Account Name | Namespace of Service Account | Associated Roles / granted in Namespace |
|---|---|---|
| k5-operator-sa | cpd project (e.g. zen) |
cpd-admin-role (Role) / cpd project (e.g. zen) cpd-viewer-role (Role) / cpd project (e.g. zen) edit (ClusterRole) / k5 projects (e.g. dev-stage) admin (ClusterRole) / k5 projects (e.g. dev-stage) |
| k5-external-secrets-sa | cpd project (e.g. zen) | k5-external-secrets-role (ClusterRole) / - (cluster scope) |
| k5-pipeline-manager-sa | cpd project (e.g. zen) |
k5-pipeline-manager-role (ClusterRole) / cpd project (e.g. zen) k5-pipeline-role (ClusterRole) / cpd project (e.g. zen) |
| k5-admin-sa | k5 projects (e.g. dev-stage) |
k5-leases-role (Role) / k5 projects (e.g. dev-stage) k5-imagestreams-pipeline-manager-role (Role - optional) / k5 projects (e.g. dev-stage) admin (ClusterRole) / k5 projects (e.g. dev-stage) |
| k5-editor-sa | k5 projects (e.g. dev-stage) |
edit (ClusterRole) / k5 projects (e.g. dev-stage) |
| k5-viewer-sa | k5 projects (e.g. dev-stage) |
k5-viewer-secrets-role (Role) / k5 projects (e.g. dev-stage) view (ClusterRole) / k5 projects (e.g. dev-stage) |
The following existing service accounts are used. The shown roles are additionally associated to the existing service accounts during the installation process:
| Service Account Name | Namespace of Service Account | Associated Roles / granted in Namespace |
|---|---|---|
| cpd-admin-sa | cpd project (e.g. zen) |
cpd-admin-additional-role (Role) / cpd project (e.g. zen) admin (ClusterRole) / k5 projects (e.g. dev-stage) |
| cpd-editor-sa | cpd project (e.g. zen) |
edit (ClusterRole) / k5 projects (e.g. dev-stage) |
| cpd-viewer-sa | cpd project (e.g. zen) |
view (ClusterRole) / cpd project (e.g. zen) view (ClusterRole) / k5 projects (e.g. dev-stage) |
For every created "Deploy" pipeline an own service account with the following configuration is created:
| Service Account Name | Namespace of Service Account | Associated Roles / granted in Namespace |
|---|---|---|
k5-pipeline-solution-acronym-suffix (e.g. k5-pipeline-solution1-mxqs03) |
cpd project (e.g. zen) |
k5-pipeline-role (ClusterRole) / cpd project (e.g. zen) k5-pipeline-role (ClusterRole) / k5 projects (e.g. dev-stage) |
Roles/ClusterRoles for IBM Financial Services Workbench
The following permissions are added to the already existing OpenShift ClusterRoles using the OpenShift aggregate mechanism:
| ClusterRole | ApiGroups | Resources | Verbs |
|---|---|---|---|
| admin | k5.project.operator |
k5clients k5dashboards k5pipelinemanagers k5projects k5realms k5topics |
create delete deletecollection get list patch update watch |
| admin | env.rt.cp.knowis.de | envoys |
create delete deletecollection get list patch update watch |
| admin | sol.rt.cp.knowis.de | solutions |
create delete deletecollection get list patch update watch |
| admin | coordination.k8s.io | leases |
create delete deletecollection get list patch update watch |
| edit | k5.project.operator |
k5clients k5dashboards k5pipelinemanagers k5projects k5realms k5topics |
create delete deletecollection get list patch update watch |
| edit | env.rt.cp.knowis.de | envoys |
create delete deletecollection get list patch update watch |
| edit | sol.rt.cp.knowis.de | solutions |
create delete deletecollection get list patch update watch |
| view | k5.project.operator |
k5clients k5dashboards k5pipelinemanagers k5projects k5realms k5topics |
get list watch |
| view | env.rt.cp.knowis.de | envoys |
get list watch |
| view | sol.rt.cp.knowis.de | solutions |
get list watch |
The following roles are created during the installation process:
| Role | Namespace of Role | ApiGroups | Resources | Verbs |
|---|---|---|---|---|
| cpd-admin-additional-role | cpd project (e.g. zen) |
"" route.openshift.io k5.project.operator tekton.dev triggers.tekton.dev |
pods/portforward routes k5clients k5realms pipelines tasks triggerbindings |
create delete get list patch update watch |
| k5-leases-role | k5 project (e.g. dev-stage) |
coordination.k8s.io |
leases |
create get list patch update watch |
| k5-viewer-secrets-role | k5 project (e.g. dev-stage) |
"" |
secrets |
get list watch |