ibm-mas · durera · May 5, 2026 · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026
@@ -22,8 +22,9 @@ ENV ANSIBLE_COLLECTIONS_PATH=/opt/app-root/lib64/python3.12/site-packages/ansibl
 
 # 3. Install Python packages
 # 4. Install Ansible collections
-# 5. Disable ibmcloud cli's new version check
-# 6. Set file permissions to be developer (hack) friendly
+# 5. Install Pre-Install RBAC files
+# 6. Disable ibmcloud cli's new version check
+# 7. Set file permissions to be developer (hack) friendly
 COPY install /tmp/install
 RUN --mount=type=secret,id=ARTIFACTORY_TOKEN \
     --mount=type=secret,id=ARTIFACTORY_GENERIC_RELEASE_URL \
@@ -37,6 +38,7 @@ RUN --mount=type=secret,id=ARTIFACTORY_TOKEN \
     ls /tmp/install && \
     bash /tmp/install/install-python-packages.sh && \
     bash /tmp/install/install-ansible-collections.sh && \
+    bash /tmp/install/pre-install-rbac.sh && \
     bash /tmp/install/permissions-updates.sh && \
     ibmcloud config --check-version=false && \
     ln -s /opt/app-root/lib/python3.12/site-packages /mascli/site-packages && \

@@ -44,6 +44,7 @@ if  [ $arch != "s390x" ] && [ $arch != "ppc64le" ]; then
     echo "  - ${TEXT_BOLD}${COLOR_GREEN}mas provision-rosa${TEXT_RESET} to provision an OCP cluster on AWS Red Hat OpenShift Service (ROSA)"
     echo "  - ${TEXT_BOLD}${COLOR_GREEN}mas provision-fyre${TEXT_RESET} to provision an OCP cluster on IBM DevIT Fyre (internal)"
     echo "  - ${TEXT_BOLD}${COLOR_GREEN}mas setup-rbac${TEXT_RESET} to setup RBAC resources for MAS installation in a cluster"
+    echo "  - ${TEXT_BOLD}${COLOR_GREEN}mas pre-install${TEXT_RESET} to set up pre-install RBAC for MAS installation in a cluster"
     echo "AI Service (Standalone) Management:"
     echo "  - ${TEXT_BOLD}${COLOR_GREEN}mas aiservice-install${TEXT_RESET} to install a new AI Service instance"
     echo "  - ${TEXT_BOLD}${COLOR_GREEN}mas aiservice-upgrade${TEXT_RESET} to upgrade a existing AI Service instance"

@@ -0,0 +1,110 @@
+#!/bin/bash
+
+set -e
+
+# This script clones the pre-install repository and copies operator RBAC files
+# into the CLI image during build time in a single RBAC root.
+#
+# Structures in pre-install:
+#   catalogs/maximo-operator-catalog/operators/<operator>/rbac/<mas_version>/*.yml
+#   openshift-platform/operators/<operator>/rbac/<mas_version>/*.yml
+#
+# Structure in CLI image:
+#   /opt/app-root/rbac/maximo-operator-catalog/operators/<operator>/rbac/<mas_version>/*.yml
+#   /opt/app-root/rbac/openshift-platform/operators/<operator>/rbac/<mas_version>/*.yml
+export GITHUB_REF_NAME="${GITHUB_REF_NAME:-ds.rbac}"
+export GITHUB_REF_TYPE="${GITHUB_REF_TYPE:-branch}"
+echo "========================================"
+echo "Installing Operator RBAC Files"
+echo "========================================"
+echo "GitHub reference = ${GITHUB_REF_TYPE}/${GITHUB_REF_NAME}"
+echo "Contents of /tmp/install/:"
+ls -l /tmp/install/
+echo ""
+
+# Destination root directory in CLI image
+RBAC_DEST="/opt/app-root/rbac"
+
+# Create destination directory
+mkdir -p "$RBAC_DEST"
+
+# If the local tar.gz file is present, extract and use it
+# Otherwise, clone from GitHub
+if [[ -e /tmp/install/pre-install.tar.gz ]]; then
+  echo "Installing local build of pre-install from archive"
+  cd /tmp/install
+  tar -xzf pre-install.tar.gz
+  PREINSTALL_SOURCE="/tmp/install/pre-install"
+else
+  # Clone pre-install repository
+  echo "Cloning pre-install repository from GitHub..."
+
+  # Determine which branch/tag to use
+  if [[ "$GITHUB_REF_TYPE" == "branch" ]]; then
+    PREINSTALL_BRANCH="${GITHUB_REF_NAME}"
+    echo "Attempting to clone matching branch: ${PREINSTALL_BRANCH}"
+  else
+    # For tag builds, use main branch
+    PREINSTALL_BRANCH="main"
+    echo "Using main branch for tag build"
+  fi
+
+  # Clone the repository
+  cd /tmp/install
+  if git clone --depth 1 --branch "${PREINSTALL_BRANCH}" https://github.com/ibm-mas/pre-install.git 2>/dev/null; then
+    echo "Successfully cloned pre-install repository (branch: ${PREINSTALL_BRANCH})"
+  else
+    echo "Branch ${PREINSTALL_BRANCH} not found, falling back to main branch"
+    git clone --depth 1 --branch main https://github.com/ibm-mas/pre-install.git
+  fi
+
+  PREINSTALL_SOURCE="/tmp/install/pre-install"
+fi
+
+MAXIMO_OPERATORS_SOURCE="$PREINSTALL_SOURCE/catalogs/maximo-operator-catalog/operators"
+OPENSHIFT_PLATFORM_OPERATORS_SOURCE="$PREINSTALL_SOURCE/openshift-platform/operators"
+
+echo "Copying RBAC files into $RBAC_DEST"
+
+VERSIONS_COPIED=()
+COPIED_SOURCE_ROOTS=()
+
+copy_operator_rbac() {
+  local SOURCE_ROOT="$1"
+  local DEST_ROOT="$2"
+
+  if [ ! -d "$SOURCE_ROOT" ]; then
+    echo "Skipping missing source: $SOURCE_ROOT"
+    return
+  fi
+
+  COPIED_SOURCE_ROOTS+=("$SOURCE_ROOT")
+
+  for OPERATOR_DIR in "$SOURCE_ROOT"/*/; do
+    if [ -d "$OPERATOR_DIR" ] && [ -d "$OPERATOR_DIR/rbac" ]; then
+      OPERATOR_NAME=$(basename "$OPERATOR_DIR")
+      DEST_PATH="$DEST_ROOT/$OPERATOR_NAME/rbac"
+      mkdir -p "$DEST_PATH"
+
+      if compgen -G "$OPERATOR_DIR/rbac/*" > /dev/null; then
+        cp -r "$OPERATOR_DIR/rbac"/* "$DEST_PATH/"
+      fi
+
+      for VERSION_DIR in "$OPERATOR_DIR/rbac"/*/; do
+        if [ -d "$VERSION_DIR" ]; then
+          VERSION_NAME=$(basename "$VERSION_DIR")
+          if [[ "$VERSION_NAME" =~ ^[0-9]+\.[0-9]+$ ]]; then
+            VERSIONS_COPIED+=("$VERSION_NAME")
+          fi
+        fi
+      done
+    fi
+  done
+}
+
+copy_operator_rbac "$MAXIMO_OPERATORS_SOURCE" "$RBAC_DEST/maximo-operator-catalog/operators"
+copy_operator_rbac "$OPENSHIFT_PLATFORM_OPERATORS_SOURCE" "$RBAC_DEST/openshift-platform/operators"
+
+VERSIONS_COPIED=($(printf "%s\n" "${VERSIONS_COPIED[@]}" | sort -u))
+echo "RBAC files copied successfully from: ${COPIED_SOURCE_ROOTS[*]}"
+echo "RBAC files copied successfully for versions: ${VERSIONS_COPIED[*]}"
@@ -42,6 +42,8 @@ export MAS_DOMAIN=$MAS_DOMAIN
 export CLUSTER_ISSUER_SELECTION=$CLUSTER_ISSUER_SELECTION
 export MAS_CLUSTER_ISSUER=$MAS_CLUSTER_ISSUER
 
+export MAS_PERMISSION_MODE=$MAS_PERMISSION_MODE
+
 export MAS_ROUTING_MODE=$MAS_ROUTING_MODE
 export MAS_INGRESS_CONTROLLER_NAME=$MAS_INGRESS_CONTROLLER_NAME
 export MAS_CONFIGURE_INGRESS=$MAS_CONFIGURE_INGRESS

@@ -827,6 +827,15 @@ case $1 in
     mas-cli setup-rbac "$@"
     ;;
 
+  pre-install)
+    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" >> $LOGFILE
+    echo "!! pre-install                                                               !!" >> $LOGFILE
+    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" >> $LOGFILE
+    # Take the first parameter off (it will be "pre-install")
+    shift
+    # Run the new Python-based pre-install command
+    mas-cli pre-install "$@"
+    ;;
 
   gitops)
     echo "${TEXT_UNDERLINE}IBM Maximo Application Suite GitOps Functions (v${VERSION})${TEXT_RESET}"

@@ -23,6 +23,7 @@ from mas.cli.backup.app import BackupApp
 from mas.cli.restore.app import RestoreApp
 from mas.cli.mirror.app import MirrorApp
 from mas.cli.setup_rbac.app import SetupRBACApp
+from mas.cli.pre_install.app import SetupPreinstallRBACApp
 
 from prompt_toolkit import HTML, print_formatted_text
 from urllib3.exceptions import MaxRetryError
@@ -50,6 +51,7 @@ def usage():
         + " - <ForestGreen>mas-cli uninstall</ForestGreen> Remove MAS from the cluster\n"  # noqa: W503
         + " - <ForestGreen>mas-cli mirror</ForestGreen>    Mirror container images \n"  # noqa: W503
         + " - <ForestGreen>mas-cli setup-rbac</ForestGreen>  Set up RBAC resources for MAS installation\n"  # noqa: W503
+        + " - <ForestGreen>mas-cli pre-install</ForestGreen>  Set up pre-install RBAC for MAS\n"  # noqa: W503
     ))
     print_formatted_text(HTML("For usage information run <ForestGreen>mas-cli [action] --help</ForestGreen>\n"))
 
@@ -89,6 +91,9 @@ if __name__ == '__main__':
         elif function == "setup-rbac":
             app = SetupRBACApp()
             app.setupRBAC(argv[2:])
+        elif function == "pre-install":
+            app = SetupPreinstallRBACApp()
+            app.setupPreinstallRBAC(argv[2:])
         elif function in ["-h", "--help"]:
             usage()
             exit(0)

@@ -60,6 +60,8 @@
     testCLI,
     launchInstallPipeline
 )
+from mas.devops.pre_install import applyPreInstallMASRBAC, permissionCheckForRBAC
+from mas.devops.utils import isVersionEqualOrAfter
 
 logger = logging.getLogger(__name__)
 
@@ -74,6 +76,72 @@ def wrapper(self, *args, **kwargs):
 
 
 class AiServiceInstallApp(BaseApp, aiServiceInstallArgBuilderMixin, aiServiceInstallSummarizerMixin, InstallSettingsMixin, ConfigGeneratorMixin):
+
+    def evaluatePreInstallRBACAccess(self) -> None:
+        self.applyPreInstallMASRBAC = False
+
+        if not isVersionEqualOrAfter('9.2.0', self.getParam("aiservice_channel")):
+            return
+
+        if self.getParam("skip_preinstall_rbac") == "true":
+            return
+
+        permissionResults = permissionCheckForRBAC(self.dynamicClient)
+        hasPreInstallRBACAccess = all(result["allowed"] for result in permissionResults)
+
+        if hasPreInstallRBACAccess:
+            self.applyPreInstallMASRBAC = True
+            return
+
+        if self.isInteractiveMode:
+            self.printDescription([
+                "",
+                f"You selected the '{self.getParam('permission_mode')}' permission mode.",
+                "The pre-install RBAC required for this permission mode has not been applied by your current cluster login.",
+                "This step must be completed by an OpenShift cluster administrator before AI Service installation can continue.",
+                "Ask your OpenShift administrator to run 'mas pre-install' for this AI Service instance.",
+                "If that has already been done, you can continue the installation without applying it again."
+            ])
+
+            if not self.yesOrNo("Has your OpenShift administrator already run 'mas pre-install' for this AI Service installation"):
+                self.fatalError("Installation aborted. Ask your OpenShift administrator to run 'mas pre-install' for this AI Service installation and then run 'mas aiservice-install' again with --skip-preinstall-rbac.")
+        else:
+            self.fatalError(
+                "\n".join([
+                    f"You selected the '{self.getParam('permission_mode')}' permission mode.",
+                    "The pre-install RBAC required for this permission mode has not been applied by your current cluster login.",
+                    "This step must be completed by an OpenShift cluster administrator before AI Service installation can continue.",
+                    "Ask your OpenShift administrator to run 'mas pre-install' for this installation and then rerun 'mas aiservice-install' with --skip-preinstall-rbac."
+                ])
+            )
+
+    def configPermissionMode(self) -> None:
+        if self.showAdvancedOptions:
+            self.printH1("Configure Permission Mode")
+            self.printDescription([
+                "Choose how AI Service should be installed with respect to permissions:",
+                "",
+                "  1. <b>cluster</b> - Install with ClusterRoles (default)",
+                "     - AI Service has cluster-level access to manage its resources across the cluster",
+                "     - CLI pre-installs ClusterRoles to grant delegated admin permissions to AI Service service accounts",
+                "",
+                "  2. <b>namespaced</b> - Install with namespace-scoped Roles only",
+                "     - No ClusterRoles are installed in this mode",
+                "     - CLI pre-installs namespace-scoped Roles in prepared namespaces to grant delegated admin permissions",
+                "     - AI Service can manage resources only in namespaces prepared by the OpenShift admin",
+                "",
+                "  3. <b>minimal</b> - Install with essential namespace-scoped Roles only",
+                "     - No ClusterRoles are installed in this mode",
+                "     - Only essential permissions required for AI Service are applied",
+                "     - AI Service can manage only the resources covered by these essential permissions"
+            ])
+
+            permissionModeInt = self.promptForInt("Permission Mode", default=1, min=1, max=3)
+            permissionModeMap = {1: "cluster", 2: "namespaced", 3: "minimal"}
+            self.setParam("permission_mode", permissionModeMap[permissionModeInt])
+        elif self.getParam("permission_mode") == "":
+            self.setParam("permission_mode", "cluster")
+
     @logMethodCall
     def processCatalogChoice(self) -> list:
         self.catalogDigest = self.chosenCatalog["catalog_digest"]
@@ -175,6 +243,9 @@ def interactiveMode(self, simplified: bool, advanced: bool) -> None:
         self.configMongoDb()
         self.setDB2DefaultChannel()
         self.setDB2DefaultSettings()
+        # Permission mode prompt (especially in dev mode)
+        if isVersionEqualOrAfter('9.2.0', self.getParam("aiservice_channel")):
+            self.configPermissionMode()
 
     @logMethodCall
     def nonInteractiveMode(self) -> None:
@@ -334,7 +405,7 @@ def nonInteractiveMode(self) -> None:
                             self.fatalError(f"Unsupported format for {key} ({value}).  Expected int:int:boolean")
 
             # Arguments that we don't need to do anything with
-            elif key in ["accept_license", "dev_mode", "skip_pre_check", "skip_grafana_install", "no_confirm", "help", "advanced", "simplified"]:
+            elif key in ["accept_license", "dev_mode", "skip_pre_check", "skip_preinstall_rbac", "skip_grafana_install", "no_confirm", "help", "advanced", "simplified"]:
                 pass
 
             elif key == "manual_certificates":
@@ -370,6 +441,13 @@ def nonInteractiveMode(self) -> None:
             self.validateCatalogSource()
             self.licensePrompt()
 
+        if self.getParam("permission_mode") != "" and not isVersionEqualOrAfter('9.2.0', self.getParam("aiservice_channel")):
+            self.fatalError("--permission-mode is supported only for AI Service releases aligned to MAS 9.2.0 and later")
+
+        # Set default permission_mode for 9.2.0+ if not provided
+        if isVersionEqualOrAfter('9.2.0', self.getParam("aiservice_channel")) and self.getParam("permission_mode") == "":
+            self.setParam("permission_mode", "cluster")
+
     @logMethodCall
     def install(self, argv):
         """
@@ -409,6 +487,9 @@ def install(self, argv):
         if args.skip_pre_check:
             self.setParam("skip_pre_check", "true")
 
+        if hasattr(args, 'skip_preinstall_rbac') and args.skip_preinstall_rbac:
+            self.setParam("skip_preinstall_rbac", "true")
+
         if instanceId is None:
             self.printH1("Set Target OpenShift Cluster")
             # Connect to the target cluster
@@ -450,6 +531,8 @@ def install(self, argv):
         else:
             self.nonInteractiveMode()
 
+        self.evaluatePreInstallRBACAccess()
+
         # Set up the sls license file
         self.slsLicenseFile()
 
@@ -511,6 +594,17 @@ def install(self, argv):
 
                 h.stop_and_persist(symbol=self.successIcon, text=f"Namespace is ready ({pipelinesNamespace})")
 
+            if self.applyPreInstallMASRBAC:
+                with Halo(text=f"Setting up pre-install RBAC for AI Service instance {self.getParam('aiservice_instance_id')}...", spinner=self.spinner) as h:
+                    applyPreInstallMASRBAC(
+                        dynClient=self.dynamicClient,
+                        masVersion=".".join(self.getParam("aiservice_channel").split(".")[:2]),
+                        masInstanceId=self.getParam("aiservice_instance_id"),
+                        permissionMode=self.getParam("permission_mode"),
+                        selectedApps=["aiservice"]
+                    )
+                    h.stop_and_persist(symbol=self.successIcon, text=f"Pre-install RBAC for AI Service is ready for {self.getParam('aiservice_instance_id')}")
+
             with Halo(text='Testing availability of MAS CLI image in cluster', spinner=self.spinner) as h:
                 testCLI()
                 h.stop_and_persist(symbol=self.successIcon, text="MAS CLI image deployment test completed")

@@ -96,6 +96,10 @@ def buildCommand(self) -> str:
             command += f"  --dev-mode{newline}"
         if self.getParam('skip_pre_check') is True:
             command += f"  --skip-pre-check{newline}"
+        if self.getParam('permission_mode') != "":
+            command += f"  --permission-mode \"{self.getParam('permission_mode')}\"{newline}"
+        if self.getParam('skip_preinstall_rbac') != "":
+            command += f"  --skip-preinstall-rbac{newline}"
         if self.getParam('image_pull_policy') != "":
             command += f"  --image-pull-policy {self.getParam('image_pull_policy')}{newline}"
         if self.getParam('service_account_name') != "":

@@ -435,6 +435,20 @@ def isValidFile(parser, arg) -> str:
     required=False,
     help="Provide the name of the Issuer to configure AI Service to issue certificates",
 )
+aiserviceAdvancedArgGroup.add_argument(
+    "--permission-mode",
+    dest="permission_mode",
+    required=False,
+    choices=["cluster", "namespaced", "minimal"],
+    help="The permission mode used to determine which pre-install RBAC manifests are applied for AI Service (MAS 9.2+ advanced option)"
+)
+aiserviceAdvancedArgGroup.add_argument(
+    "--skip-preinstall-rbac",
+    dest="skip_preinstall_rbac",
+    required=False,
+    action="store_true",
+    help="Skip pre-install RBAC setup (non-interactive mode only)"
+)
 aiserviceAdvancedArgGroup.add_argument(
     "--enable-ipv6",
     dest="enable_ipv6",

@@ -104,6 +104,9 @@
     # Certificate Issuer
     "aiservice_certificate_issuer",
 
+    # permission mode
+    "permission_mode",
+
     # Enable IPv6 networking
     "enable_ipv6",
 

@@ -46,6 +46,9 @@ def aiServiceSummary(self) -> None:
         self.printParamSummary("Release", "aiservice_channel")
         self.printParamSummary("Instance ID", "aiservice_instance_id")
         self.printParamSummary("Environment Type", "environment_type")
+        if self.getParam("permission_mode") not in [None, ""]:
+            self.printParamSummary("Permission Mode", "permission_mode")
+            self.printSummary("Skip Pre-Install RBAC", "Yes" if self.getParam('skip_preinstall_rbac') == "true" else "No")
 
         if "aiservice_certificate_issuer" in self.params:
             self.printParamSummary("Certificate Issuer", "aiservice_certificate_issuer")