Hi Mayur,
The service accounts are created by these scripts as a way to link to extended security constraints required by some Verify Access components.
The "worker" containers (Reverse Proxy, Runtime, DSC) do not require special permissions. They can run with default OpenShift permissions.
The configuration container requires some extended permissions (you can see them in the security-constraints.yaml file in the repo.
The OpenLDAP container (provided for testing) requires run-as-root
The PostgreSQL container (provided for testing) requires run-as-user
If your cluster admin team can create the required constraints and map them to service accounts in your project that is the best way forward.
If they won't grant these permissions to your project then you can't run those components under OpenShift.
For OpenLDAP and PostgreSQL, if you can't run these under OpenShift, maybe you'll have to run LDAP and DB components elsewhere. This is quite a common pattern for production deployment where IBM Directory Server and IBM DB2 are used for these items. These products are included as "supporting programmes" in the Verify Access licence. Other vendor database and LDAP are supported too but, obviously, you'd have to licence them separately.
For the configuration container, you might consider running it under a local docker environment and building configurations there which you then publish and push into the "worker" containers running under OpenShift. More complex than you really want for a POC though. A "snapshot manager" container can be used which can host the snapshots in OpenShift. The configuration container can publish to it.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Wed October 13, 2021 06:16 AM
From: Mayur Wattamwar
Subject: Forbidden Issue
We are doing quick POC for the ISVA on open sfhit V4 , as per below page we are creating secrete by using setup-security.sh but having below error. but when we have cheked inernally with our open shift team they have confirmed they will not provide access to create service account for our id as per internal process. so do we have any work around for this?
************** DEV $ oc create serviceaccount verifyaccess-config
Error from server (Forbidden): serviceaccounts is forbidden: User "*****" cannot create resource "serviceaccounts" in API group "" in the namespace "***"
GitHub - iamexploring/container-deployment: Assets for exploring deployment of IBM Security Verify Access in containers.
GitHub |
remove preview |
|
GitHub - iamexploring/container-deployment: Assets for exploring deployment of IBM Security Verify Access in containers. |
These assets are for IBM Security Verify Access v10.0.2.0. Assets for v10.0.0.0 (which will also work with v10.0.1.0) are available as a release. Checkout tag v10.0.0.0-1. Assets for IBM Security Access Manager are available at https://ibm.biz/isamdocker This cookbook describes deployment with Native Docker and Docker Compose. |
View this on GitHub > |
|
|
------------------------------
Mayur Wattamwar
------------------------------