You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/olm-policy-scoping-operator-install.adoc
+59-13
Original file line number
Diff line number
Diff line change
@@ -19,6 +19,9 @@ Using this example, a cluster administrator can confine a set of Operators to a
19
19
20
20
. Create a new namespace:
21
21
+
22
+
.Example command that creates a `Namespace` object
23
+
[%collapsible]
24
+
====
22
25
[source,terminal]
23
26
----
24
27
$ cat <<EOF | oc create -f -
@@ -28,9 +31,15 @@ metadata:
28
31
name: scoped
29
32
EOF
30
33
----
34
+
====
31
35
32
-
. Allocate permissions that you want the Operator(s) to be confined to. This involves creating a new service account, relevant role(s), and role binding(s).
36
+
. Allocate permissions that you want the Operator(s) to be confined to. This involves creating a new service account, relevant role(s), and role binding(s) in the newly created, designated namespace:
37
+
38
+
.. Create a service account by running the following command:
33
39
+
40
+
.Example command that creates a `ServiceAccount` object
41
+
[%collapsible]
42
+
====
34
43
[source,terminal]
35
44
----
36
45
$ cat <<EOF | oc create -f -
@@ -41,9 +50,39 @@ metadata:
41
50
namespace: scoped
42
51
EOF
43
52
----
53
+
====
54
+
55
+
.. Create a secret by running the following command:
56
+
+
57
+
.Example command that creates a long-lived API token `Secret` object
58
+
[%collapsible]
59
+
====
60
+
[source,terminal]
61
+
----
62
+
$ cat <<EOF | oc create -f -
63
+
apiVersion: v1
64
+
kind: Secret
65
+
type: kubernetes.io/service-account-token <1>
66
+
metadata:
67
+
name: scoped
68
+
namespace: scoped
69
+
annotations:
70
+
kubernetes.io/service-account.name: scoped
71
+
EOF
72
+
----
73
+
<1> The secret must be a long-lived API token, which is used by the service account.
74
+
====
75
+
76
+
.. Create a role by running the following command.
44
77
+
45
-
The following example grants the service account permissions to do anything in the designated namespace for simplicity. In a production environment, you should create a more fine-grained set of permissions:
78
+
[WARNING]
79
+
====
80
+
In this example, the role grants the service account permissions to do anything in the designated namespace for demonostration purposes only. In a production environment, you should create a more fine-grained set of permissions. For more information, see "Fine-grained permissions".
81
+
====
46
82
+
83
+
.Example command that creates `Role` and `RoleBinding` objects
84
+
[%collapsible]
85
+
====
47
86
[source,terminal]
48
87
----
49
88
$ cat <<EOF | oc create -f -
@@ -72,11 +111,13 @@ subjects:
72
111
namespace: scoped
73
112
EOF
74
113
----
114
+
====
75
115
76
-
. Create an `OperatorGroup` object in the designated namespace. This Operator group targets the designated namespace to ensure that its tenancy is confined to it.
77
-
+
78
-
In addition, Operator groups allow a user to specify a service account. Specify the service account created in the previous step:
116
+
. Create an `OperatorGroup` object in the designated namespace by running the following command. This Operator group targets the designated namespace to ensure that its tenancy is confined to it. In addition, Operator groups allow a user to specify a service account.
79
117
+
118
+
.Example command that creates an `OperatorGroup` object
119
+
[%collapsible]
120
+
====
80
121
[source,terminal]
81
122
----
82
123
$ cat <<EOF | oc create -f -
@@ -86,32 +127,37 @@ metadata:
86
127
name: scoped
87
128
namespace: scoped
88
129
spec:
89
-
serviceAccountName: scoped
130
+
serviceAccountName: scoped <1>
90
131
targetNamespaces:
91
132
- scoped
92
133
EOF
93
134
----
94
-
+
95
-
Any Operator installed in the designated namespace is tied to this Operator group and therefore to the service account specified.
135
+
<1> Specify the service account created in the previous step. Any Operator installed in the designated namespace is tied to this Operator group and therefore to the service account specified.
136
+
====
96
137
97
138
. Create a `Subscription` object in the designated namespace to install an Operator:
98
139
+
140
+
.Example command that creates a `Subscription` object
141
+
[%collapsible]
142
+
====
99
143
[source,terminal]
100
144
----
101
145
$ cat <<EOF | oc create -f -
102
146
apiVersion: operators.coreos.com/v1alpha1
103
147
kind: Subscription
104
148
metadata:
105
-
name: etcd
149
+
name: openshift-cert-manager-operator
106
150
namespace: scoped
107
151
spec:
108
-
channel: singlenamespace-alpha
109
-
name: etcd
152
+
channel: stable-v1
153
+
name: openshift-cert-manager-operator
110
154
source: <catalog_source_name> <1>
111
155
sourceNamespace: <catalog_source_namespace> <2>
112
156
EOF
113
157
----
114
-
<1> Specify a catalog source that already exists in the designated namespace or one that is in the global catalog namespace.
115
-
<2> Specify a namespace where the catalog source was created.
158
+
<1> Specify a catalog source that already exists in the designated namespace or one that is in the global catalog namespace, for example `redhat-operators`.
159
+
<2> Specify a namespace where the catalog source was created, for example `openshift-marketplace` for the `redhat-operators` catalog.
160
+
====
116
161
+
117
162
Any Operator tied to this Operator group is confined to the permissions granted to the specified service account. If the Operator requests permissions that are outside the scope of the service account, the installation fails with relevant errors.
0 commit comments