From d810024c3fc6e7cd4f4f10f66d093c4f479e1e12 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Tue, 8 Oct 2024 08:30:38 +0200 Subject: [PATCH] chore: Minimal set of permissions to deploy che on openshift (#2794) * chore: Minimal set of permissions to deploy che on openshift Signed-off-by: Anatolii Bazko * Add articles to nav.adoc Signed-off-by: Anatolii Bazko * Add additional resources Signed-off-by: Anatolii Bazko * Update modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-the-web-console.adoc Co-authored-by: Jana Vrbkova * Update modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-cli.adoc Co-authored-by: Jana Vrbkova * Update modules/administration-guide/pages/permissions-to-install-che.adoc Co-authored-by: Jana Vrbkova --------- Signed-off-by: Anatolii Bazko Co-authored-by: Jana Vrbkova --- modules/administration-guide/nav.adoc | 3 ++ ...installing-che-on-openshift-using-cli.adoc | 4 ++ ...he-on-openshift-using-the-web-console.adoc | 4 ++ ...to-install-che-on-openshift-using-cli.adoc | 51 ++++++++++++++++++ ...he-on-openshift-using-the-web-console.adoc | 52 +++++++++++++++++++ .../pages/permissions-to-install-che.adoc | 14 +++++ 6 files changed, 128 insertions(+) create mode 100644 modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-cli.adoc create mode 100644 modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-the-web-console.adoc create mode 100644 modules/administration-guide/pages/permissions-to-install-che.adoc diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc index bdd585d0ec..43b6fdc6c1 100644 --- a/modules/administration-guide/nav.adoc +++ b/modules/administration-guide/nav.adoc @@ -26,6 +26,9 @@ *** xref:installing-che-on-minikube.adoc[] *** xref:installing-che-on-minikube-keycloak-oidc.adoc[] ** xref:finding-the-fully-qualified-domain-name-fqdn.adoc[] +** xref:permissions-to-install-che.adoc[] +*** xref:permissions-to-install-che-on-openshift-using-cli.adoc[] +*** xref:permissions-to-install-che-on-openshift-using-the-web-console.adoc[] * xref:configuring-che.adoc[] ** xref:understanding-the-checluster-custom-resource.adoc[] *** xref:using-chectl-to-configure-the-checluster-custom-resource-during-installation.adoc[] diff --git a/modules/administration-guide/pages/installing-che-on-openshift-using-cli.adoc b/modules/administration-guide/pages/installing-che-on-openshift-using-cli.adoc index 77f0b64a89..437b1f091c 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-using-cli.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-using-cli.adoc @@ -49,3 +49,7 @@ $ {prod-cli} server:status ---- $ {prod-cli} dashboard:open ---- + +.Additional resources + +* xref:permissions-to-install-che-on-openshift-using-cli.adoc[] \ No newline at end of file diff --git a/modules/administration-guide/pages/installing-che-on-openshift-using-the-web-console.adoc b/modules/administration-guide/pages/installing-che-on-openshift-using-the-web-console.adoc index f0c55eacfe..39d887b506 100644 --- a/modules/administration-guide/pages/installing-che-on-openshift-using-the-web-console.adoc +++ b/modules/administration-guide/pages/installing-che-on-openshift-using-the-web-console.adoc @@ -57,3 +57,7 @@ pass:[] . Under *{prod} URL*, wait until the URL of the {prod-short} instance appears, and then open the URL to check the {prod-short} dashboard. . In the *Resources* tab, view the resources for the {prod-short} deployment and their status. + +.Additional resources + +* xref:permissions-to-install-che-on-openshift-using-the-web-console.adoc[] \ No newline at end of file diff --git a/modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-cli.adoc b/modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-cli.adoc new file mode 100644 index 0000000000..435ae6ef44 --- /dev/null +++ b/modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-cli.adoc @@ -0,0 +1,51 @@ +:_content-type: REFERENCE +:description: Minimum set of permissions required to install {prod-short} on OpenShift using CLI +:keywords: permissions, openshift, installing, cli +:navtitle: Permissions to install {prod-short} on OpenShift using CLI + +[id="permissions-to-install-che-on-openshift-using-cli"] += Permissions to install {prod-short} on OpenShift using CLI + +Below is the minimal set of permissions required to install {prod-short} on an OpenShift cluster using {prod-cli}: + +[source,yaml,subs="+quotes,+attributes"] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {prod-id-short}-install-{prod-cli} +rules: +- apiGroups: ["org.eclipse.che"] + resources: ["checlusters"] + verbs: ["*"] +- apiGroups: ["project.openshift.io"] + resources: ["projects"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create"] +- apiGroups: [""] + resources: ["pods", "configmaps"] + verbs: ["get", "list"] +- apiGroups: ["route.openshift.io"] + resources: ["routes"] + verbs: ["get", "list"] + # OLM resources permissions +- apiGroups: ["operators.coreos.com"] + resources: ["catalogsources", "subscriptions"] + verbs: ["create", "get", "list", "watch"] +- apiGroups: ["operators.coreos.com"] + resources: ["operatorgroups", "clusterserviceversions"] + verbs: ["get", "list", "watch"] +- apiGroups: ["operators.coreos.com"] + resources: ["installplans"] + verbs: ["patch", "get", "list", "watch"] +- apiGroups: ["packages.operators.coreos.com"] + resources: ["packagemanifests"] + verbs: ["get", "list"] +---- + +.Additional resources + +* https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/developer-cli-commands.html#oc-apply[`oc apply` command] +* link:https://docs.openshift.com/container-platform/4.17/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-policy-add-cluster-role-to-user[`oc adm policy` command] diff --git a/modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-the-web-console.adoc b/modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-the-web-console.adoc new file mode 100644 index 0000000000..cd030c3bb6 --- /dev/null +++ b/modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-the-web-console.adoc @@ -0,0 +1,52 @@ +:_content-type: REFERENCE +:description: Minimum set of permissions required to install {prod-short} on OpenShift using the web console +:keywords: permissions, openshift, installing +:navtitle: Permissions to install {prod-short} on OpenShift using web console + +[id="permissions-to-install-che-on-openshift-using-the-web-console"] += Permissions to install {prod-short} on OpenShift using the web console + +Below is the minimal set of permissions required to install {prod-short} on an OpenShift cluster using the web console: + +[source,yaml,subs="+quotes,+attributes"] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {prod-id-short}-install-web-console +rules: +- apiGroups: ["org.eclipse.che"] + resources: ["checlusters"] + verbs: ["*"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create"] +- apiGroups: ["project.openshift.io"] + resources: ["projects"] + verbs: ["get", "list", "create"] + # OLM resources permissions +- apiGroups: ["operators.coreos.com"] + resources: ["subscriptions"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +- apiGroups: ["operators.coreos.com"] + resources: ["operatorgroups"] + verbs: ["get", "list", "watch"] +- apiGroups: ["operators.coreos.com"] + resources: ["clusterserviceversions", "catalogsources", "installplans"] + verbs: ["get", "list", "watch", "delete"] +- apiGroups: ["packages.operators.coreos.com"] + resources: ["packagemanifests", "packagemanifests/icon"] + verbs: ["get", "list", "watch"] + # Workaround related to viewing operators in OperatorHub +- apiGroups: ["operator.openshift.io"] + resources: ["cloudcredentials"] + verbs: ["get", "list", "watch"] +- apiGroups: ["config.openshift.io"] + resources: ["infrastructures", "authentications"] + verbs: ["get", "list", "watch"] +---- + +.Additional resources + +* https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/developer-cli-commands.html#oc-apply[`oc apply` command] +* link:https://docs.openshift.com/container-platform/4.17/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-policy-add-cluster-role-to-user[`oc adm policy` command] \ No newline at end of file diff --git a/modules/administration-guide/pages/permissions-to-install-che.adoc b/modules/administration-guide/pages/permissions-to-install-che.adoc new file mode 100644 index 0000000000..5cc8c13f86 --- /dev/null +++ b/modules/administration-guide/pages/permissions-to-install-che.adoc @@ -0,0 +1,14 @@ +:_content-type: ASSEMBLY +:description: Permissions to install {prod} +:keywords: administration-guide, installing, permissions +:navtitle: Permissions to install Che +:page-aliases: + +[id="permissions-to-install-che"] += Permissions to install {prod-short} + +Learn about the permissions required to install {prod} on different {kubernetes} clusters. + +* xref:permissions-to-install-che-on-openshift-using-cli.adoc[] + +* xref:permissions-to-install-che-on-openshift-using-the-web-console.adoc[]