User Configuration OpenShift
This configuration is done in the RedHat OpenShift cluster. It enables the users to use the integrated capabilities that are provided by the OpenShift console without restrictions.
Use Cases and permissions
- UC1: Show Pipelines and PipelineRuns
- UC2: Show Topology, pods and logs
UC1: Show Pipelines and PipelineRuns
Within the Solution Designer, the user is provided some links to directly adress the shown artifact in the OpenShift webconsole. These links will only work, if the user can login into the OpenShift web console and has the necessary permissions on the OpenShift cluster. To show Pipelines and the PipelineRuns including the logs it is required that a user has the following permission set:
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - tekton.dev
    resources:
      - tasks
      - taskruns
      - pipelines
      - pipelineruns
      - pipelineresources
      - conditionsThe permissions only need to be granted to users in those projects, that are stuffed with a k5project and where solutions will get deployed.
UC2: Show Topology, pods and logs
In order to view the application composition using the Topology view a user needs minimum the following permission set:
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - pods
      - pods/log
      - pods/status
      - replicationcontrollers
      - services
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - apps.openshift.io
    resources:
      - deploymentconfigs
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - apps
    resources:
      - deployments
      - daemonsets
      - replicasets
      - statefulsets
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - route.openshift.io
    resources:
      - routes
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - build.openshift.io
    resources:
      - buildconfigs
      - buildsThe permissions only need to be granted to users in those projects, that are stuffed with a k5project and where solutions will get deployed.
Example configuration / Recommendation
Instead of defining extra roles for topology view and or pipeline artifacts, one can also use the predefined cluster-role view.
oc adm policy add-user-to-role view username