Role-based access control (RBAC) overview
All associated permissions (service accounts, roles, role bindings) we set up additionally to the CPD installation are shown below.
Important: We do not grant any Role/ClusterRole at cluster scope.
Service Accounts for IBM Financial Services Workbench
The following service accounts including the associated roles are created during the installation process:
| Service Account Name | Namespace of Service Account | Associated Roles / granted in Namespace | 
|---|---|---|
| k5-operator-sa | cpd project (e.g. zen) | cpd-admin-role (Role) / cpd project (e.g. zen) cpd-viewer-role (Role) / cpd project (e.g. zen) edit (ClusterRole) / k5 projects (e.g. dev-stage) admin (ClusterRole) / k5 projects (e.g. dev-stage) | 
| k5-s3-storage | cpd project (e.g. zen) | - | 
| k5-admin-sa | k5 projects (e.g. dev-stage) | k5-leases-role (Role) / k5 projects (e.g. dev-stage) k5-imagestreams-pipeline-manager-role (Role - optional) / k5 projects (e.g. dev-stage) admin (ClusterRole) / k5 projects (e.g. dev-stage) | 
| k5-editor-sa | k5 projects (e.g. dev-stage) | edit (ClusterRole) / k5 projects (e.g. dev-stage) | 
| k5-viewer-sa | k5 projects (e.g. dev-stage) | k5-viewer-secrets-role (Role) / k5 projects (e.g. dev-stage) view (ClusterRole) / k5 projects (e.g. dev-stage) | 
The following existing service accounts are used. The shown roles are additionally associated to the existing service accounts during the installation process:
| Service Account Name | Namespace of Service Account | Associated Roles / granted in Namespace | 
|---|---|---|
| cpd-admin-sa | cpd project (e.g. zen) | cpd-admin-additional-role (Role) / cpd project (e.g. zen) admin (ClusterRole) / k5 projects (e.g. dev-stage) | 
| cpd-editor-sa | cpd project (e.g. zen) | edit (ClusterRole) / k5 projects (e.g. dev-stage) | 
| cpd-viewer-sa | cpd project (e.g. zen) | view (ClusterRole) / cpd project (e.g. zen) view (ClusterRole) / k5 projects (e.g. dev-stage) | 
| pipeline | k5 projects (e.g. dev-stage) | k5-imagestreams-pipeline-role (Role) / k5 projects (e.g. dev-stage) | 
For every created "Build and Deploy" pipeline an own service account with the following configuration is created:
| Service Account Name | Namespace of Service Account | Associated Roles / granted in Namespace | 
|---|---|---|
| k5-pipeline- solution-acronym-suffix(e.g. k5-pipeline-solution1-mxqs03) | k5 project (e.g. dev-stage) | edit (ClusterRole) / k5 project (e.g. dev-stage) | 
Roles/ClusterRoles for IBM Financial Services Workbench
The following permissions are added to the already existing OpenShift ClusterRoles using the OpenShift aggregate mechanism:
| ClusterRole | ApiGroups | Resources | Verbs | 
|---|---|---|---|
| admin | k5.project.operator | "*" | create delete deletecollection get list patch update watch | 
| admin | env.rt.cp.knowis.de | envoys | create delete deletecollection get list patch update watch | 
| admin | sol.rt.cp.knowis.de | solutions | create delete deletecollection get list patch update watch | 
| admin | coordination.k8s.io | leases | "*" | 
| edit | k5.project.operator | "*" | create delete deletecollection get list patch update watch | 
| edit | env.rt.cp.knowis.de | envoys | create delete deletecollection get list patch update watch | 
| edit | sol.rt.cp.knowis.de | solutions | create delete deletecollection get list patch update watch | 
| view | k5.project.operator | "*" | get list watch | 
| view | env.rt.cp.knowis.de | envoys | get list watch | 
| view | sol.rt.cp.knowis.de | solutions | get list watch | 
The following roles are created during the installation process:
| Role | Namespace of Role | ApiGroups | Resources | Verbs | 
|---|---|---|---|---|
| cpd-admin-additional-role | cpd project (e.g. zen) | "" route.openshift.io | pods/portforward routes | create delete exec get list patch update watch | 
| k5-leases-role | k5 project (e.g. dev-stage) | coordination.k8s.io | leases | create get list patch update watch | 
| k5-viewer-secrets-role | k5 project (e.g. dev-stage) | "" | secrets | get list watch | 
| k5-imagestreams-pipeline-manager-role | k5 project (e.g. dev-stage) | "" image.openshift.io | imagestreams | get list watch | 
| k5-imagestreams-pipeline-manager-role | k5 project (e.g. dev-stage) | "" image.openshift.io | imagestreams/layers | get | 
| k5-imagestreams-pipeline-role | k5 project (e.g. dev-stage) | "" image.openshift.io | imagestreams imagestreams/layers | get |