From 007b1e4253ab86de861cca03e18f3476df4fb8f4 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Sun, 3 May 2026 16:48:56 +0530 Subject: [PATCH 01/18] [patch] Fix required permissions --- rbac/install/namespaces.yaml | 10 +++ rbac/install/pipeline/clusterrole.yaml | 87 ++++++++++++++++++ rbac/install/pipeline/ibm-sls.yaml | 117 +++++++++++++++++++++++++ 3 files changed, 214 insertions(+) diff --git a/rbac/install/namespaces.yaml b/rbac/install/namespaces.yaml index 610f555841c..ce98cfe067d 100644 --- a/rbac/install/namespaces.yaml +++ b/rbac/install/namespaces.yaml @@ -31,6 +31,11 @@ metadata: --- apiVersion: v1 kind: Namespace +metadata: + name: sls-{{ mas_instance_id }} +--- +apiVersion: v1 +kind: Namespace metadata: name: mongoce --- @@ -43,3 +48,8 @@ apiVersion: v1 kind: Namespace metadata: name: openshift-pipelines +--- +apiVersion: v1 +kind: Namespace +metadata: + name: db2u diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index 665a4c6fec8..c6bf77b137d 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -106,3 +106,90 @@ rules: - create - patch - list + + # Must-gather needs to read pods and their logs across all namespaces + - apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list + + # Must-gather needs to read events for diagnostics + - apiGroups: + - "" + resources: + - events + verbs: + - get + - list + + # Must-gather needs to read services and endpoints + - apiGroups: + - "" + resources: + - services + - endpoints + verbs: + - get + - list + + # Must-gather needs to read configmaps across namespaces + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + + # Must-gather needs to read PVCs and PVs + - apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumes + verbs: + - get + - list + + # Must-gather needs to read nodes for cluster diagnostics + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + + # Must-gather needs to read all MAS custom resources + - apiGroups: + - core.mas.ibm.com + - config.mas.ibm.com + - apps.mas.ibm.com + resources: + - "*" + verbs: + - get + - list + + # Must-gather needs to read operator resources + - apiGroups: + - operators.coreos.com + resources: + - clusterserviceversions + - installplans + verbs: + - get + - list + + # Must-gather needs to read routes + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list diff --git a/rbac/install/pipeline/ibm-sls.yaml b/rbac/install/pipeline/ibm-sls.yaml index d6056f700e5..5fde4aaafe9 100644 --- a/rbac/install/pipeline/ibm-sls.yaml +++ b/rbac/install/pipeline/ibm-sls.yaml @@ -52,3 +52,120 @@ rules: verbs: - create - patch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:sls-instance + namespace: sls-{{ mas_instance_id }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:sls-instance +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:sls-instance + namespace: sls-{{ mas_instance_id }} +rules: + # SLS instance namespace management + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - patch + + # SLS requires secrets for entitlement keys and certificates + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - patch + - delete + + # SLS requires configmaps + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create + - patch + + # SLS requires service accounts + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - create + - patch + + # SLS instance creation and management + - apiGroups: + - sls.ibm.com + resources: + - licenseservices + verbs: + - get + - create + - patch + - list + - watch + + # SLS requires PVCs + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - create + - patch + - list + + # SLS requires services + - apiGroups: + - "" + resources: + - services + verbs: + - get + - create + - patch + + # SLS requires deployments and statefulsets + - apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - get + - create + - patch + - list + - watch + + # SLS requires routes for external access + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - create + - patch From e94fdc6e23b4f5aa9f734a7b9236d0c45398f5b1 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Sun, 3 May 2026 18:42:58 +0530 Subject: [PATCH 02/18] [patch] Update sls and db2u permissions --- rbac/install/pipeline/clusterrole.yaml | 9 +++++++++ rbac/install/pipeline/db2u.yaml | 12 ++++++++++++ rbac/install/pipeline/ibm-sls.yaml | 13 +++++++++++++ 3 files changed, 34 insertions(+) diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index c6bf77b137d..94415ec5bb0 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -193,3 +193,12 @@ rules: verbs: - get - list + + # Creating routes with custom hostnames requires cluster-wide permission + - apiGroups: + - route.openshift.io + resources: + - routes/custom-host + verbs: + - create + - update diff --git a/rbac/install/pipeline/db2u.yaml b/rbac/install/pipeline/db2u.yaml index e690892eb4a..d980e3059f7 100644 --- a/rbac/install/pipeline/db2u.yaml +++ b/rbac/install/pipeline/db2u.yaml @@ -107,3 +107,15 @@ rules: - patch - list - watch + + + # DB2 requires routes for external access + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - create + - patch + - list diff --git a/rbac/install/pipeline/ibm-sls.yaml b/rbac/install/pipeline/ibm-sls.yaml index 5fde4aaafe9..711b6cd4279 100644 --- a/rbac/install/pipeline/ibm-sls.yaml +++ b/rbac/install/pipeline/ibm-sls.yaml @@ -83,6 +83,19 @@ rules: - get - patch + # SLS operator subscription requires operatorgroups + - apiGroups: + - operators.coreos.com + resources: + - operatorgroups + - subscriptions + - installplans + verbs: + - get + - list + - create + - patch + # SLS requires secrets for entitlement keys and certificates - apiGroups: - "" From 4a72d53dbf14b497dc3592dcff6ef18566acb3e7 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Sun, 3 May 2026 20:06:48 +0530 Subject: [PATCH 03/18] [patch] Update suite and must-gather permissions --- image/cli/mascli/functions/must_gather | 4 ++-- rbac/install/pipeline/db2u.yaml | 12 ++++++++++++ rbac/install/pipeline/mas-x-core.yaml | 2 ++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/image/cli/mascli/functions/must_gather b/image/cli/mascli/functions/must_gather index 1509f977409..5a65bb4397d 100644 --- a/image/cli/mascli/functions/must_gather +++ b/image/cli/mascli/functions/must_gather @@ -226,10 +226,10 @@ function mustgather() { if [ "$(oc whoami 2>/dev/null)" == "" ] ; then echo_warning "You must be logged in to the server as a cluster administrator before running the must-gather command" - exit 1 + # exit 1 elif [ "$(oc get clusterrolebindings 2>&1 | grep forbidden)" != "" ] ; then echo_warning "Your user does not appear to be a cluster administrator, you must be logged in to the server as a cluster administrator before running the must-gather command" - exit 1 + # exit 1 fi # --------------------------------------------------------------------------- diff --git a/rbac/install/pipeline/db2u.yaml b/rbac/install/pipeline/db2u.yaml index d980e3059f7..7c2ae71c521 100644 --- a/rbac/install/pipeline/db2u.yaml +++ b/rbac/install/pipeline/db2u.yaml @@ -94,6 +94,18 @@ rules: - create - patch - list + # DB2 setup requires pod exec access to copy files and run commands + - apiGroups: + - "" + resources: + - pods + - pods/log + - pods/exec + verbs: + - get + - list + - create + # DB2 requires cert-manager issuers and certificates for SSL - apiGroups: diff --git a/rbac/install/pipeline/mas-x-core.yaml b/rbac/install/pipeline/mas-x-core.yaml index 949cdbc6e1e..75622cd8dc5 100644 --- a/rbac/install/pipeline/mas-x-core.yaml +++ b/rbac/install/pipeline/mas-x-core.yaml @@ -66,6 +66,8 @@ rules: - kafkacfgs - slscfgs - bascfgs + - idpcfgs + - smtpcfgs verbs: - get - create From 836b0a61d693957d02af81c8233875955412021c Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Mon, 4 May 2026 12:00:13 +0530 Subject: [PATCH 04/18] [patch] Add required app permissions in install pipeline --- rbac/install/kustomization.yaml | 1 + rbac/install/namespaces.yaml | 35 +++++ rbac/install/pipeline/mas-x-app.yaml | 183 +++++++++++++++++++++++++++ 3 files changed, 219 insertions(+) create mode 100644 rbac/install/pipeline/mas-x-app.yaml diff --git a/rbac/install/kustomization.yaml b/rbac/install/kustomization.yaml index e9550326c32..245432a16e4 100644 --- a/rbac/install/kustomization.yaml +++ b/rbac/install/kustomization.yaml @@ -21,6 +21,7 @@ resources: - pipeline/eck.yaml - pipeline/grafana5.yaml - pipeline/ibm-sls.yaml + - pipeline/mas-x-app.yaml - pipeline/mas-x-core.yaml - pipeline/mas-x-pipelines.yaml - pipeline/mongoce.yaml diff --git a/rbac/install/namespaces.yaml b/rbac/install/namespaces.yaml index ce98cfe067d..4b198841114 100644 --- a/rbac/install/namespaces.yaml +++ b/rbac/install/namespaces.yaml @@ -53,3 +53,38 @@ apiVersion: v1 kind: Namespace metadata: name: db2u +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-manage +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-monitor +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-health +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-predict +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-assist +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-visualinspection +--- +apiVersion: v1 +kind: Namespace +metadata: + name: mas-{{ mas_instance_id }}-iot diff --git a/rbac/install/pipeline/mas-x-app.yaml b/rbac/install/pipeline/mas-x-app.yaml new file mode 100644 index 00000000000..6224c1dabf7 --- /dev/null +++ b/rbac/install/pipeline/mas-x-app.yaml @@ -0,0 +1,183 @@ +--- +# Shared ClusterRole for all MAS Applications +# This ClusterRole is bound to each application namespace below +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +rules: + # Application installation requires namespace management + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - patch + + # Application operator subscription + - apiGroups: + - operators.coreos.com + resources: + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - create + - patch + + # Application requires secrets for entitlement keys and credentials + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - patch + - delete + + # Application requires service accounts + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - create + - patch + + # Application requires configmaps + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create + - patch + + # Application CRDs - all MAS application types + - apiGroups: + - apps.mas.ibm.com + resources: + - manageapps + - manageworkspaces + - healthapps + - predictapps + - assistapps + - visualinspectionapps + - iotapps + verbs: + - get + - create + - patch + - list + - watch +--- +# Maximo Manage Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-manage + namespace: mas-{{ mas_instance_id }}-manage +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Monitor Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-monitor + namespace: mas-{{ mas_instance_id }}-monitor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Health Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-health + namespace: mas-{{ mas_instance_id }}-health +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Predict Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-predict + namespace: mas-{{ mas_instance_id }}-predict +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Assist Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-assist + namespace: mas-{{ mas_instance_id }}-assist +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# Maximo Visual Inspection Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-visualinspection + namespace: mas-{{ mas_instance_id }}-visualinspection +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +# IoT Tool Application +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app-iot + namespace: mas-{{ mas_instance_id }}-iot +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: mas:{{ mas_instance_id }}:install-pipeline:mas-app +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines From f48d4d97dff434433960b007963c21a3657f6019 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Wed, 6 May 2026 13:49:09 +0530 Subject: [PATCH 05/18] [patch] Permission for finalizer --- rbac/install/pipeline/clusterrole.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index 94415ec5bb0..48d10f58e8d 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -11,6 +11,9 @@ subjects: - kind: ServiceAccount name: mas-{{ mas_instance_id }}-install-pipeline namespace: mas-{{ mas_instance_id }}-pipelines + - kind: ServiceAccount + name: pipeline + namespace: mas-{{ mas_instance_id }}-pipelines --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole From 597fab53b92e4c74deb53d20997a468756992a44 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Wed, 6 May 2026 14:08:45 +0530 Subject: [PATCH 06/18] [patch] Disable must-gather permissions tmp --- rbac/install/pipeline/clusterrole.yaml | 156 ++++++++++++------------- 1 file changed, 78 insertions(+), 78 deletions(-) diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index 48d10f58e8d..bdc9a79f127 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -110,92 +110,92 @@ rules: - patch - list - # Must-gather needs to read pods and their logs across all namespaces - - apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - get - - list + # # Must-gather needs to read pods and their logs across all namespaces + # - apiGroups: + # - "" + # resources: + # - pods + # - pods/log + # verbs: + # - get + # - list - # Must-gather needs to read events for diagnostics - - apiGroups: - - "" - resources: - - events - verbs: - - get - - list + # # Must-gather needs to read events for diagnostics + # - apiGroups: + # - "" + # resources: + # - events + # verbs: + # - get + # - list - # Must-gather needs to read services and endpoints - - apiGroups: - - "" - resources: - - services - - endpoints - verbs: - - get - - list + # # Must-gather needs to read services and endpoints + # - apiGroups: + # - "" + # resources: + # - services + # - endpoints + # verbs: + # - get + # - list - # Must-gather needs to read configmaps across namespaces - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list + # # Must-gather needs to read configmaps across namespaces + # - apiGroups: + # - "" + # resources: + # - configmaps + # verbs: + # - get + # - list - # Must-gather needs to read PVCs and PVs - - apiGroups: - - "" - resources: - - persistentvolumeclaims - - persistentvolumes - verbs: - - get - - list + # # Must-gather needs to read PVCs and PVs + # - apiGroups: + # - "" + # resources: + # - persistentvolumeclaims + # - persistentvolumes + # verbs: + # - get + # - list - # Must-gather needs to read nodes for cluster diagnostics - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list + # # Must-gather needs to read nodes for cluster diagnostics + # - apiGroups: + # - "" + # resources: + # - nodes + # verbs: + # - get + # - list - # Must-gather needs to read all MAS custom resources - - apiGroups: - - core.mas.ibm.com - - config.mas.ibm.com - - apps.mas.ibm.com - resources: - - "*" - verbs: - - get - - list + # # Must-gather needs to read all MAS custom resources + # - apiGroups: + # - core.mas.ibm.com + # - config.mas.ibm.com + # - apps.mas.ibm.com + # resources: + # - "*" + # verbs: + # - get + # - list - # Must-gather needs to read operator resources - - apiGroups: - - operators.coreos.com - resources: - - clusterserviceversions - - installplans - verbs: - - get - - list + # # Must-gather needs to read operator resources + # - apiGroups: + # - operators.coreos.com + # resources: + # - clusterserviceversions + # - installplans + # verbs: + # - get + # - list - # Must-gather needs to read routes - - apiGroups: - - route.openshift.io - resources: - - routes - verbs: - - get - - list + # # Must-gather needs to read routes + # - apiGroups: + # - route.openshift.io + # resources: + # - routes + # verbs: + # - get + # - list # Creating routes with custom hostnames requires cluster-wide permission - apiGroups: From 845b7f6c1d1fcaadb5e633a00d7dcf4f71422110 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Thu, 7 May 2026 20:43:56 +0530 Subject: [PATCH 07/18] [patch] Core and Manage permissions --- image/cli/mascli/functions/must_gather | 4 +- rbac/install/pipeline/clusterrole.yaml | 89 +------------------------- 2 files changed, 3 insertions(+), 90 deletions(-) diff --git a/image/cli/mascli/functions/must_gather b/image/cli/mascli/functions/must_gather index 5a65bb4397d..1509f977409 100644 --- a/image/cli/mascli/functions/must_gather +++ b/image/cli/mascli/functions/must_gather @@ -226,10 +226,10 @@ function mustgather() { if [ "$(oc whoami 2>/dev/null)" == "" ] ; then echo_warning "You must be logged in to the server as a cluster administrator before running the must-gather command" - # exit 1 + exit 1 elif [ "$(oc get clusterrolebindings 2>&1 | grep forbidden)" != "" ] ; then echo_warning "Your user does not appear to be a cluster administrator, you must be logged in to the server as a cluster administrator before running the must-gather command" - # exit 1 + exit 1 fi # --------------------------------------------------------------------------- diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index bdc9a79f127..324826b7b60 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -109,94 +109,7 @@ rules: - create - patch - list - - # # Must-gather needs to read pods and their logs across all namespaces - # - apiGroups: - # - "" - # resources: - # - pods - # - pods/log - # verbs: - # - get - # - list - - # # Must-gather needs to read events for diagnostics - # - apiGroups: - # - "" - # resources: - # - events - # verbs: - # - get - # - list - - # # Must-gather needs to read services and endpoints - # - apiGroups: - # - "" - # resources: - # - services - # - endpoints - # verbs: - # - get - # - list - - # # Must-gather needs to read configmaps across namespaces - # - apiGroups: - # - "" - # resources: - # - configmaps - # verbs: - # - get - # - list - - # # Must-gather needs to read PVCs and PVs - # - apiGroups: - # - "" - # resources: - # - persistentvolumeclaims - # - persistentvolumes - # verbs: - # - get - # - list - - # # Must-gather needs to read nodes for cluster diagnostics - # - apiGroups: - # - "" - # resources: - # - nodes - # verbs: - # - get - # - list - - # # Must-gather needs to read all MAS custom resources - # - apiGroups: - # - core.mas.ibm.com - # - config.mas.ibm.com - # - apps.mas.ibm.com - # resources: - # - "*" - # verbs: - # - get - # - list - - # # Must-gather needs to read operator resources - # - apiGroups: - # - operators.coreos.com - # resources: - # - clusterserviceversions - # - installplans - # verbs: - # - get - # - list - - # # Must-gather needs to read routes - # - apiGroups: - # - route.openshift.io - # resources: - # - routes - # verbs: - # - get - # - list - + # Creating routes with custom hostnames requires cluster-wide permission - apiGroups: - route.openshift.io From a12b069a2687f1556634fdf6eaf52ae4e2dfe859 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Fri, 8 May 2026 20:30:28 +0530 Subject: [PATCH 08/18] [patch] Remove cluster admin permissions --- image/cli/mascli/functions/must_gather | 8 -------- 1 file changed, 8 deletions(-) diff --git a/image/cli/mascli/functions/must_gather b/image/cli/mascli/functions/must_gather index 1509f977409..a4e10d0058a 100644 --- a/image/cli/mascli/functions/must_gather +++ b/image/cli/mascli/functions/must_gather @@ -224,14 +224,6 @@ function mustgather() { echo "For help reviewing the content of the must gather refer to:" echo "https://www.ibm.com/support/pages/how-review-maximo-application-suite-must-gather" - if [ "$(oc whoami 2>/dev/null)" == "" ] ; then - echo_warning "You must be logged in to the server as a cluster administrator before running the must-gather command" - exit 1 - elif [ "$(oc get clusterrolebindings 2>&1 | grep forbidden)" != "" ] ; then - echo_warning "Your user does not appear to be a cluster administrator, you must be logged in to the server as a cluster administrator before running the must-gather command" - exit 1 - fi - # --------------------------------------------------------------------------- # Generate OCP Report # --------------------------------------------------------------------------- From 657f84f573035cf22cbee629575a9497360845ee Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Sat, 9 May 2026 18:27:34 +0530 Subject: [PATCH 09/18] [patch] Fix nvidia-gpu permission --- rbac/install/kustomization.yaml | 1 + rbac/install/namespaces.yaml | 5 ++++ rbac/install/pipeline/openshift-nfd.yaml | 33 ++++++++++++++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 rbac/install/pipeline/openshift-nfd.yaml diff --git a/rbac/install/kustomization.yaml b/rbac/install/kustomization.yaml index 245432a16e4..6353f83aa68 100644 --- a/rbac/install/kustomization.yaml +++ b/rbac/install/kustomization.yaml @@ -30,6 +30,7 @@ resources: - pipeline/openshift-ingress.yaml - pipeline/openshift-marketplace.yaml - pipeline/openshift-monitoring.yaml + - pipeline/openshift-nfd.yaml - pipeline/openshift-operators.yaml - pipeline/openshift-user-workload-monitoring.yaml - pipeline/redhat-marketplace.yaml diff --git a/rbac/install/namespaces.yaml b/rbac/install/namespaces.yaml index 4b198841114..853d67cecc4 100644 --- a/rbac/install/namespaces.yaml +++ b/rbac/install/namespaces.yaml @@ -51,6 +51,11 @@ metadata: --- apiVersion: v1 kind: Namespace +metadata: + name: openshift-nfd +--- +apiVersion: v1 +kind: Namespace metadata: name: db2u --- diff --git a/rbac/install/pipeline/openshift-nfd.yaml b/rbac/install/pipeline/openshift-nfd.yaml new file mode 100644 index 00000000000..fea0118bd98 --- /dev/null +++ b/rbac/install/pipeline/openshift-nfd.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:openshift-nfd + namespace: openshift-nfd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:openshift-nfd +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:openshift-nfd + namespace: openshift-nfd +rules: + # Nvidia GPU operator installation requires operator subscription + - apiGroups: + - operators.coreos.com + resources: + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - create + - patch From e6b0b92076201c90b5c60161d3072c2a7243afd0 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Sun, 10 May 2026 15:07:07 +0530 Subject: [PATCH 10/18] [patch] Fix nvidia permission --- rbac/install/pipeline/openshift-nfd.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/rbac/install/pipeline/openshift-nfd.yaml b/rbac/install/pipeline/openshift-nfd.yaml index fea0118bd98..92689860c88 100644 --- a/rbac/install/pipeline/openshift-nfd.yaml +++ b/rbac/install/pipeline/openshift-nfd.yaml @@ -31,3 +31,15 @@ rules: - list - create - patch + # Node Feature Discovery CRD management + - apiGroups: + - nfd.openshift.io + resources: + - nodefeaturediscoveries + verbs: + - get + - list + - create + - patch + - update + - watch From 488a6646f3a5f062d116a0b53347b28e2f733ebf Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Mon, 11 May 2026 19:55:47 +0530 Subject: [PATCH 11/18] [patch] Fix nvidia gpu operator permissions --- rbac/install/namespaces.yaml | 5 +++ rbac/install/pipeline/openshift-nfd.yaml | 45 ++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/rbac/install/namespaces.yaml b/rbac/install/namespaces.yaml index 853d67cecc4..1c05467b41a 100644 --- a/rbac/install/namespaces.yaml +++ b/rbac/install/namespaces.yaml @@ -56,6 +56,11 @@ metadata: --- apiVersion: v1 kind: Namespace +metadata: + name: nvidia-gpu-operator +--- +apiVersion: v1 +kind: Namespace metadata: name: db2u --- diff --git a/rbac/install/pipeline/openshift-nfd.yaml b/rbac/install/pipeline/openshift-nfd.yaml index 92689860c88..dc53389fdc3 100644 --- a/rbac/install/pipeline/openshift-nfd.yaml +++ b/rbac/install/pipeline/openshift-nfd.yaml @@ -43,3 +43,48 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:nvidia-gpu-operator + namespace: nvidia-gpu-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:nvidia-gpu-operator +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:nvidia-gpu-operator + namespace: nvidia-gpu-operator +rules: + # Nvidia GPU operator installation requires operator subscription + - apiGroups: + - operators.coreos.com + resources: + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - create + - patch + # GPU operator CRD management + - apiGroups: + - nvidia.com + resources: + - clusterpolicies + verbs: + - get + - list + - create + - patch + - update + - watch From 43c74e98cd58a315330c2fb6a5ef62a7b494d23f Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Tue, 12 May 2026 00:17:51 +0530 Subject: [PATCH 12/18] [patch] Adding cpd nvidia and kube system permissions --- rbac/install/kustomization.yaml | 2 + rbac/install/namespaces.yaml | 10 +++ rbac/install/pipeline/clusterrole.yaml | 13 +++ rbac/install/pipeline/ibm-cpd.yaml | 101 +++++++++++++++++++++++ rbac/install/pipeline/kube-system.yaml | 33 ++++++++ rbac/install/pipeline/openshift-nfd.yaml | 12 --- 6 files changed, 159 insertions(+), 12 deletions(-) create mode 100644 rbac/install/pipeline/ibm-cpd.yaml create mode 100644 rbac/install/pipeline/kube-system.yaml diff --git a/rbac/install/kustomization.yaml b/rbac/install/kustomization.yaml index 6353f83aa68..61bce4b6118 100644 --- a/rbac/install/kustomization.yaml +++ b/rbac/install/kustomization.yaml @@ -20,7 +20,9 @@ resources: - pipeline/db2u.yaml - pipeline/eck.yaml - pipeline/grafana5.yaml + - pipeline/ibm-cpd.yaml - pipeline/ibm-sls.yaml + - pipeline/kube-system.yaml - pipeline/mas-x-app.yaml - pipeline/mas-x-core.yaml - pipeline/mas-x-pipelines.yaml diff --git a/rbac/install/namespaces.yaml b/rbac/install/namespaces.yaml index 1c05467b41a..a2cf78197e2 100644 --- a/rbac/install/namespaces.yaml +++ b/rbac/install/namespaces.yaml @@ -61,6 +61,16 @@ metadata: --- apiVersion: v1 kind: Namespace +metadata: + name: ibm-cpd-operators +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ibm-cpd +--- +apiVersion: v1 +kind: Namespace metadata: name: db2u --- diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index 324826b7b60..b8752152bfd 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -118,3 +118,16 @@ rules: verbs: - create - update + + # Nvidia GPU operator ClusterPolicy is cluster-scoped + - apiGroups: + - nvidia.com + resources: + - clusterpolicies + verbs: + - get + - list + - create + - patch + - update + - watch diff --git a/rbac/install/pipeline/ibm-cpd.yaml b/rbac/install/pipeline/ibm-cpd.yaml new file mode 100644 index 00000000000..ce0939636bd --- /dev/null +++ b/rbac/install/pipeline/ibm-cpd.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd-operators + namespace: ibm-cpd-operators +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd-operators +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd-operators + namespace: ibm-cpd-operators +rules: + # Cloud Pak for Data operator installation + - apiGroups: + - operators.coreos.com + resources: + - installplans + - operatorgroups + - subscriptions + verbs: + - get + - list + - create + - patch + # IBM entitlement key secret + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd + namespace: ibm-cpd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd + namespace: ibm-cpd +rules: + # Cloud Pak for Data instance management + - apiGroups: + - "" + resources: + - secrets + - configmaps + - serviceaccounts + verbs: + - get + - list + - create + - patch + - update + # CPD services and deployments + - apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - get + - list + - create + - patch + - update + # CPD routes + - apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - get + - list + - create + - patch + - update diff --git a/rbac/install/pipeline/kube-system.yaml b/rbac/install/pipeline/kube-system.yaml new file mode 100644 index 00000000000..8d1d397e27b --- /dev/null +++ b/rbac/install/pipeline/kube-system.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:kube-system + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: mas:{{ mas_instance_id }}:install-pipeline:kube-system +subjects: + - kind: ServiceAccount + name: mas-{{ mas_instance_id }}-install-pipeline + namespace: mas-{{ mas_instance_id }}-pipelines +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: mas:{{ mas_instance_id }}:install-pipeline:kube-system + namespace: kube-system +rules: + # Some components may need to create secrets in kube-system + # This is typically for cluster-level configuration + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - patch + - update diff --git a/rbac/install/pipeline/openshift-nfd.yaml b/rbac/install/pipeline/openshift-nfd.yaml index dc53389fdc3..a269c81f932 100644 --- a/rbac/install/pipeline/openshift-nfd.yaml +++ b/rbac/install/pipeline/openshift-nfd.yaml @@ -76,15 +76,3 @@ rules: - list - create - patch - # GPU operator CRD management - - apiGroups: - - nvidia.com - resources: - - clusterpolicies - verbs: - - get - - list - - create - - patch - - update - - watch From b67145bc4390d769914580ba8121b1597c9373ce Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Tue, 12 May 2026 15:07:41 +0530 Subject: [PATCH 13/18] [patch] Update permissions for cp4d and kube-system --- rbac/install/pipeline/ibm-cpd.yaml | 3 ++- rbac/install/pipeline/kube-system.yaml | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/rbac/install/pipeline/ibm-cpd.yaml b/rbac/install/pipeline/ibm-cpd.yaml index ce0939636bd..40fc16da94c 100644 --- a/rbac/install/pipeline/ibm-cpd.yaml +++ b/rbac/install/pipeline/ibm-cpd.yaml @@ -31,11 +31,12 @@ rules: - list - create - patch - # IBM entitlement key secret + # IBM entitlement key secret and service accounts - apiGroups: - "" resources: - secrets + - serviceaccounts verbs: - get - list diff --git a/rbac/install/pipeline/kube-system.yaml b/rbac/install/pipeline/kube-system.yaml index 8d1d397e27b..59c83313ae9 100644 --- a/rbac/install/pipeline/kube-system.yaml +++ b/rbac/install/pipeline/kube-system.yaml @@ -31,3 +31,14 @@ rules: - create - patch - update + # DaemonSets for system-level components (e.g., GPU drivers, monitoring agents) + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - get + - list + - create + - patch + - update From 1ddf91d86d72866564187f7af6d5bb9d59c051b2 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Wed, 13 May 2026 06:26:19 +0530 Subject: [PATCH 14/18] [patch] Fix cp4d permissions --- rbac/install/pipeline/ibm-cpd.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/rbac/install/pipeline/ibm-cpd.yaml b/rbac/install/pipeline/ibm-cpd.yaml index 40fc16da94c..72fb8502c81 100644 --- a/rbac/install/pipeline/ibm-cpd.yaml +++ b/rbac/install/pipeline/ibm-cpd.yaml @@ -43,6 +43,33 @@ rules: - create - patch - update + # CPD operators need to create RBAC resources + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - get + - list + - create + - patch + - update + - delete + # Grant wildcard permissions that CPD operators need to delegate + - apiGroups: + - "*" + resources: + - "*" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding From bec7e0142a6270adc463505b797953e3262a93a6 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Wed, 13 May 2026 20:37:35 +0530 Subject: [PATCH 15/18] [patch] Fix cp4d role --- rbac/install/pipeline/clusterrole.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index b8752152bfd..59b95e0da53 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -131,3 +131,19 @@ rules: - patch - update - watch + + # Cloud Pak for Data requires wildcard permissions to delegate to namespace roles + # This allows CPD operators to create roles with any permissions within their namespaces + - apiGroups: + - "*" + resources: + - "*" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection From ad4593f29d7847914ae6f7be1d1be511ed13a9b0 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Fri, 15 May 2026 20:31:17 +0530 Subject: [PATCH 16/18] [patch] impersonate user --- rbac/install/pipeline/clusterrole.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index 59b95e0da53..9702dac2818 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -147,3 +147,4 @@ rules: - update - watch - deletecollection + - impersonate From cbe373ba6d651e656446d5cbe20ebbc553111bd3 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Fri, 15 May 2026 22:14:56 +0530 Subject: [PATCH 17/18] [patch] CP4d cluster admin permissions --- rbac/install/pipeline/clusterrole.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index 9702dac2818..cdaf1448099 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -148,3 +148,17 @@ rules: - watch - deletecollection - impersonate + + # Allow binding and escalating ClusterRoles (including admin) without having all their permissions + # This is required for CPD to assign the admin role to service accounts + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - bind + - escalate + resourceNames: + - admin + - edit + - view From e61f266a3b0d73c5918040efa25147d297a7c766 Mon Sep 17 00:00:00 2001 From: Unnati Solanki Date: Thu, 21 May 2026 00:52:40 +0530 Subject: [PATCH 18/18] [patch] Addressed review comments --- image/cli/mascli/functions/must_gather | 5 +++++ rbac/install/pipeline/clusterrole.yaml | 3 --- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/image/cli/mascli/functions/must_gather b/image/cli/mascli/functions/must_gather index a4e10d0058a..9797d06d388 100644 --- a/image/cli/mascli/functions/must_gather +++ b/image/cli/mascli/functions/must_gather @@ -224,6 +224,11 @@ function mustgather() { echo "For help reviewing the content of the must gather refer to:" echo "https://www.ibm.com/support/pages/how-review-maximo-application-suite-must-gather" + if [ "$(oc whoami 2>/dev/null)" == "" ] ; then + echo_warning "You must be logged in to the cluster before running the must-gather command" + exit 1 + fi + # --------------------------------------------------------------------------- # Generate OCP Report # --------------------------------------------------------------------------- diff --git a/rbac/install/pipeline/clusterrole.yaml b/rbac/install/pipeline/clusterrole.yaml index cdaf1448099..23c1fb4700f 100644 --- a/rbac/install/pipeline/clusterrole.yaml +++ b/rbac/install/pipeline/clusterrole.yaml @@ -11,9 +11,6 @@ subjects: - kind: ServiceAccount name: mas-{{ mas_instance_id }}-install-pipeline namespace: mas-{{ mas_instance_id }}-pipelines - - kind: ServiceAccount - name: pipeline - namespace: mas-{{ mas_instance_id }}-pipelines --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole