An operator that deploys the IAM policy controller which detects the cluster administrator role and IAM role binding violations
Important: Do not install this operator directly. Only install this operator using the IBM Common Services Operator. For more information about installing this operator and other Common Services operators, see Installer documentation. If you are using this operator as part of an IBM Cloud Pak, see the documentation for that IBM Cloud Pak to learn more about how to install and use the operator service. For more information about IBM Cloud Paks, see IBM Cloud Paks that use Common Services.
Red Hat OpenShift Container Platform 4.3 or newer installed on one of the following platforms.
- Linux x86_64
- Linux on Power (ppc64le)
- Linux on IBM Z and LinuxONE
- 1.0.0
Before you install this operator, you need to first install the operator dependencies and prerequisites:
-
For the list of operator dependencies, see the IBM Knowledge Center Common Services dependencies documentation.
-
For the list of prerequisites for installing the operator, see the IBM Knowledge Center Preparing to install services documentation.
-
ibm-iam-policy-operator must run in the
ibm-common-services
namespace
The ibm-iam-policy-operator supports running with the OpenShift Container Platform 4.3 default restricted Security Context Constraints (SCCs).
For more information about the OpenShift Container Platform Security Context Constraints, see Managing Security Context Constraints.
OCP 4.3 restricted SCC:
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups:
- system:authenticated
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: restricted denies access to all host features and requires
pods to be run with a UID, and SELinux context that are allocated to the namespace. This
is the most restrictive SCC and it is used by default for authenticated users.
creationTimestamp: "2020-03-27T15:01:00Z"
generation: 1
name: restricted
resourceVersion: "6365"
selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/restricted
uid: 6a77775c-a6d8-4341-b04c-bd826a67f67e
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
To install the operator with the IBM Common Services Operator, follow the installation and configuration instructions within the IBM Knowledge Center.
-
If you are using the operator as part of an IBM Cloud Pak, see the documentation for that IBM Cloud Pak. For a list of IBM Cloud Paks, see IBM Cloud Paks that use Common Services.
-
If you are using the operator with an IBM Containerized Software, see the IBM Cloud Platform Common Services Knowledge Center Installer documentation.
-
For more information, see the IBM Cloud Platform Common Services documentation.
As a developer, if you want to build and test this operator to try out and learn more about the operator and its capabilities, you can use the following developer guide. The guide provides commands for a quick installation and initial validation for running the operator.
Important: The following developer guide is provided as-is and only for trial and education purposes. IBM and IBM Support does not provide any support for the usage of the operator with this developer guide. For the official supported install and usage guide for the operator, see the the IBM Knowledge Center documentation for your IBM Cloud Pak or for IBM Cloud Platform Common Services.
-
To learn more about how the ibm-iam-policy-operator was implemented, see Operator Guidelines and Operator SDK
-
All of the resources that were created by our Helm chart are now created by a controller.
-
ibm-iam-policy-operator
has two CRDs:PolicyController
- Configurations for theiam-policy-controller
deployment.IamPolicy
- generated byiam-policy-controller
repo.
- If a field in a spec is omitted, the default value will be used.
- The list of all
ibm-iam-policy-operator
settings can be found in the IBM Cloud Platform Common Services Knowledge Center Configuration Documentation.
-
These steps are based on Operator Framework: Getting Started and Creating an App Operator.
-
Repositories: ibm-iam-policy-operator
-
Set the Go environment variables:
export GOPATH=/home/<username>/go
export GO111MODULE=on
export GOPRIVATE="github.ibm.com"
-
For more information, follow the Operator SDK Quickstart Guide
-
IMPORTANT: Anytime you modify
<kind>_types.go
, you must runmake generate
andmake generate-all
to update the CRD and the generated code.
make install-crd
make run
- Run tests on the cluster.
make uninstall
make install
- Run tests on the cluster.
make uninstall
- Create the
ibm-common-services
namespace. - Create the CatalogSource in your cluster.
- Select the
Operators
tab and in the drop-down selectOperatorHub
. - Search for the
ibm-iam-policy-operator
. - Install the operator in the
ibm-common-services
namespace. - Run tests on cluster
- To run unit tests use,
make test
Run these commands to collect information about the iam-policy-operator and iam-policy-controller deployments.
kubectl get pods -n ibm-common-services | grep iam-policy
kubectl get serviceaccount -n ibm-common-services | grep iam-policy
These steps verify:
- The ibm-iam-policy-operator is running.
- The iam-policy-controller is running.
Run these commands to collect logs:
kubectl logs <ibm-iam-policy-operator-pod> -n ibm-common-services
kubectl logs <iam-policy-controller-pod> -n ibm-common-services
- For more instructions on how to run end-to-end testing with the Operand Deployment Lifecycle Manager, see ODLM guide.