Cloud Pak for Business Automation

 View Only
  • 1.  Clusteradmin rights for installing CP4A

    Posted Tue January 28, 2020 09:11 AM
    Do you need 'clusteradmin' rights when installing "IBM Cloud Pak for Automation v19.0.3 - Content Manager for Certified Kubernetes Multiplatform Multilingual (CC48UML)" on RedHat OpenShift (On Premise)?

    ------------------------------
    Jeroen Lamers
    ------------------------------


  • 2.  RE: Clusteradmin rights for installing CP4A

    Posted Thu July 23, 2020 08:10 PM
    Edited by YAN FEN GUO Thu July 23, 2020 08:11 PM
    It is a little bit late to answer this but yes, you need  'clusteradmin' rights on CRD and new project creation and proper permission set to a non-admin user on this project. Then the non-admin user can do deployment in this project.
    Since latest 20.0.2 already got released so suggest you choose it, it has two script to help you on installation, one need to run as clusteradmin, another can run with non-admin. Here is the Guide: https://www.ibm.com/support/knowledgecenter/en/SSYHZ8_20.0.x/com.ibm.dba.install/op_topics/con_install_options.html

    ------------------------------
    YAN FEN GUO
    ------------------------------



  • 3.  RE: Clusteradmin rights for installing CP4A

    Posted Fri July 24, 2020 07:08 AM
    Hi Yan Fen,
    the feedback I received from a client who participated in the BAW on Containers TechPreview was, that in their OCP deployment the "project user" (which would be the "System Admin" or "CloudPak Admin" user role we describe in our documentation) they receive from the OCP admin does NOT have cluster admin right or the elevated permissions we expect. Feedback from their OCP team (backed up by feedback from Red Hat consultants that support the OCP team) was that it is not a commonly used pattern that a project in OCP requests cluster admin rights in order to be deployed.
    I think it is mandatory that we look into the way how we control the deployment and sync that with the best practices on OCP.  Do you know if there is any effort in CP4Auto to remove the "cluster admin" requirement for future releases?

    ------------------------------
    Michael Kirchner
    ------------------------------



  • 4.  RE: Clusteradmin rights for installing CP4A

    Posted Fri July 24, 2020 07:09 AM
    Hi Yan Fen,

    one of my clients ran into problems deploying the BAW tech preview on a shared OCP cluster as the "project user" (basically the role of the "CloudPak administrator" we describe in the documentation you referred to) they receive from the OCP admin team does not have the appropriate permissions to run the deployment scripts. The feedback from the OCP admin team (backed up by feedback from Red Hat consultants which support this team) was that it is not best practise in OCP that a project requires a used with cluster admin rights in order to deploy the project artifacts.
    Question: Are we working on this topic in order to remove the "cluster admin" requirement and thus make the CP4Auto deployment process in line with OCP best practices?

    Thanks in advance for your comments!

    Best regards

    ------------------------------
    Michael Kirchner
    ------------------------------



  • 5.  RE: Clusteradmin rights for installing CP4A

    Posted Fri July 24, 2020 09:11 AM
    Hi Yan Fen,

    I received the feedback from a client who participated in the BAW on containers Tech Preview that the "project user" (which is the "CloudPak admin" role we describe in our documentation) which they receive on the (shared) OCP cluster does not have the appropriate permissions we require for the deployment.
    The feedback from their OCP team (which is backed up by feedback from Red Had consultants which support this OCP team) was, that it is not best practise that a cluster admin rights are required to run any part of the installation for a project in OCP.
    Question: Are you aware of a workstream in the CP4Auto development to eliminate this requirement and to ensure that the deployment process for CP4Auto is in line with the best practises for OCP?

    Thanks in advance and best regards!

    ------------------------------
    Michael Kirchner
    ------------------------------



  • 6.  RE: Clusteradmin rights for installing CP4A

    Posted Fri July 24, 2020 09:46 AM
    Hi Michael,
    I'm not aware of any permission change in plan.
    The current design is we need cluster-admin to do some prerequisites, like create CRD, create new-project and assign proper permission to a non-admin user (I believe this is the CloudPak administrator user ), then this non-admin user can do the real deployment work. So we are align with OCP best practice: not require cluster-admin to do deployment process.

    ------------------------------
    YAN FEN GUO
    ------------------------------