[patch] MAS and Manage RBAC Permissions in Install pipeline

image/cli/mascli/functions/must_gather

@@ -225,10 +225,7 @@ function mustgather() {
   echo "https://www.ibm.com/support/pages/how-review-maximo-application-suite-must-gather"
 
   if [ "$(oc whoami 2>/dev/null)" == "" ] ; then 
-    echo_warning "You must be logged in to the server as a cluster administrator before running the must-gather command"
-    exit 1
-  elif [ "$(oc get clusterrolebindings 2>&1 | grep forbidden)" != "" ] ; then 
-    echo_warning "Your user does not appear to be a cluster administrator, you must be logged in to the server as a cluster administrator before running the must-gather command"
+    echo_warning "You must be logged in to the cluster before running the must-gather command"
     exit 1
   fi
 

rbac/install/kustomization.yaml

@@ -20,7 +20,10 @@ resources:
   - pipeline/db2u.yaml
   - pipeline/eck.yaml
   - pipeline/grafana5.yaml
+  - pipeline/ibm-cpd.yaml
   - pipeline/ibm-sls.yaml
+  - pipeline/kube-system.yaml
+  - pipeline/mas-x-app.yaml
   - pipeline/mas-x-core.yaml
   - pipeline/mas-x-pipelines.yaml
   - pipeline/mongoce.yaml
@@ -29,6 +32,7 @@ resources:
   - pipeline/openshift-ingress.yaml
   - pipeline/openshift-marketplace.yaml
   - pipeline/openshift-monitoring.yaml
+  - pipeline/openshift-nfd.yaml
   - pipeline/openshift-operators.yaml
   - pipeline/openshift-user-workload-monitoring.yaml
   - pipeline/redhat-marketplace.yaml

rbac/install/namespaces.yaml

@@ -32,7 +32,7 @@ metadata:
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: db2u
+  name: sls-{{ mas_instance_id }}
 ---
 apiVersion: v1
 kind: Namespace
@@ -48,3 +48,63 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-pipelines
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-nfd
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nvidia-gpu-operator
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ibm-cpd-operators
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ibm-cpd
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: db2u
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mas-{{ mas_instance_id }}-manage
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mas-{{ mas_instance_id }}-monitor
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mas-{{ mas_instance_id }}-health
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mas-{{ mas_instance_id }}-predict
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mas-{{ mas_instance_id }}-assist
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mas-{{ mas_instance_id }}-visualinspection
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mas-{{ mas_instance_id }}-iot

rbac/install/pipeline/clusterrole.yaml

@@ -106,3 +106,56 @@ rules:
       - create
       - patch
       - list
+
+  # Creating routes with custom hostnames requires cluster-wide permission
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes/custom-host
+    verbs:
+      - create
+      - update
+
+  # Nvidia GPU operator ClusterPolicy is cluster-scoped
+  - apiGroups:
+      - nvidia.com
+    resources:
+      - clusterpolicies
+    verbs:
+      - get
+      - list
+      - create
+      - patch
+      - update
+      - watch
+
+  # Cloud Pak for Data requires wildcard permissions to delegate to namespace roles
+  # This allows CPD operators to create roles with any permissions within their namespaces
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+      - impersonate
+
+  # Allow binding and escalating ClusterRoles (including admin) without having all their permissions
+  # This is required for CPD to assign the admin role to service accounts
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - clusterroles
+    verbs:
+      - bind
+      - escalate
+    resourceNames:
+      - admin
+      - edit
+      - view

rbac/install/pipeline/db2u.yaml

@@ -94,6 +94,18 @@ rules:
       - create
       - patch
       - list
+  # DB2 setup requires pod exec access to copy files and run commands
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+      - pods/exec
+    verbs:
+      - get
+      - list
+      - create
+
 
   # DB2 requires cert-manager issuers and certificates for SSL
   - apiGroups:
@@ -107,3 +119,15 @@ rules:
       - patch
       - list
       - watch
+
+
+  # DB2 requires routes for external access
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+    verbs:
+      - get
+      - create
+      - patch
+      - list

rbac/install/pipeline/ibm-cpd.yaml

@@ -0,0 +1,129 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd-operators
+  namespace: ibm-cpd-operators
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd-operators
+subjects:
+  - kind: ServiceAccount
+    name: mas-{{ mas_instance_id }}-install-pipeline
+    namespace: mas-{{ mas_instance_id }}-pipelines
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd-operators
+  namespace: ibm-cpd-operators
+rules:
+  # Cloud Pak for Data operator installation
+  - apiGroups:
+      - operators.coreos.com
+    resources:
+      - installplans
+      - operatorgroups
+      - subscriptions
+    verbs:
+      - get
+      - list
+      - create
+      - patch
+  # IBM entitlement key secret and service accounts
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+      - create
+      - patch
+      - update
+  # CPD operators need to create RBAC resources
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+      - rolebindings
+    verbs:
+      - get
+      - list
+      - create
+      - patch
+      - update
+      - delete
+  # Grant wildcard permissions that CPD operators need to delegate
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd
+  namespace: ibm-cpd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd
+subjects:
+  - kind: ServiceAccount
+    name: mas-{{ mas_instance_id }}-install-pipeline
+    namespace: mas-{{ mas_instance_id }}-pipelines
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mas:{{ mas_instance_id }}:install-pipeline:ibm-cpd
+  namespace: ibm-cpd
+rules:
+  # Cloud Pak for Data instance management
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+      - serviceaccounts
+    verbs:
+      - get
+      - list
+      - create
+      - patch
+      - update
+  # CPD services and deployments
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - create
+      - patch
+      - update
+  # CPD routes
+  - apiGroups:
+      - route.openshift.io
+    resources:
+      - routes
+    verbs:
+      - get
+      - list
+      - create
+      - patch
+      - update