ibm-iam-operator
The ibm-iam-operator
installs the IBM Cloud Platform Common Services Identity and Access management (IAM) service.
Important: Do not install this operator directly. Install this operator only by using the IBM Common Service Operator. For more information about installing the IBM Common Service Operator operator, see Installer documentation (https://www.ibm.com/support/knowledgecenter/SSHKN6/kc_welcome_cs.html).
If you are using the operator as part of an IBM Cloud Pak, see the documentation for that IBM Cloud Pak to learn more about how to install and use the operator service. For more information about IBM Cloud Paks, see IBM Cloud Paks that use Common Services.
You can use the ibm-iam-operator
to install the authentication and authorization services for the IBM Cloud Platform Common Services.
With these services, you can configure security for IBM Cloud Platform Common Services, IBM Certified Containers (IBM products), or IBM Cloud Paks that are installed.
For more information about the available IBM Cloud Platform Common Services, see the IBM Knowledge Center.
Operator versions
- 3.6.1
- 3.6.0
- With this version, support for OpenShift 4.3 is added.
- 3.5.0
Prerequisites
Before you install this operator, you need to first install the operator dependencies and prerequisites:
Documentation
To install the operator by using the IBM Common Services Operator, follow the installation and configuration instructions that are in the IBM Knowledge Center.
End-to-End testing
For more instructions about how to run end-to-end testing with the Operand Deployment Lifecycle Manager, see ODLM guide.
Quick start guide
These steps are based on the Operator Framework: Getting Started and Creating an App Operator.
Complete the following steps:
-
Set the Go environment variables.
export GOPATH=/home/<username>/go
export GO111MODULE=on
export GOPRIVATE="github.ibm.com"
-
Create the operator skeleton.
cd /home/ibmadmin/workspace/cs-operators
operator-sdk new iam-operator --repo github.com/ibm/iam-operator
The main program for the operator, cmd/manager/main.go
, initializes and runs the Manager. The Manager completes the following tasks:
- Automatically registers the scheme for all custom resources that are defined under
pkg/apis/...
.
- Runs all controllers under
pkg/controller/...
.
- Restrict the namespace that all controllers watch for resources.
-
Create the API definition ("Kind") that is used to create the CRD.
a. cd /home/ibmadmin/workspace/cs-operators/iam-operator
.
b. Create hack/boilerplate.go.txt
that contains the copyright information for the generated code.
c. Create the API definition ("Kind") by running the following command:
operator-sdk add api --api-version=operator.ibm.com/v1alpha1 --kind=IAM
The command complete the following tasks:
- Generates pkg/apis/operator/v1alpha1/<kind>_types.go
. For example, pkg/apis/operator/v1alpha1/authentications.go
.
- Generates deploy/crds/operator.ibm.com_<kind>s_crd.yaml
. For example, deploy/crds/operator.ibm.com_authentications_crd.yaml
.
- Generates deploy/crds/operator.ibm.com_v1alpha1_<kind>_cr.yaml
. For example, deploy/crds/operator.ibm.com_v1alpha1_authentications_cr.yaml
.
The operator can manage more than one Kind
API resource.
-
Edit <kind>_types.go
and add the fields that are exposed to the user. Then, regenerate the CRD.
a. Edit <kind>_types.go
and add fields to the <Kind>Spec
struct. Then, run the following command:
operator-sdk generate k8s
The command updates zz_generated.deepcopy.go
.
b. Generate CRDs.
Note: The Operator Framework: Getting Started provides the operator-sdk generate openapi
command to generate CRD. However, the command is deprecated. You can run the following commands instead:
operator-sdk generate crds
- The command updates
operator.ibm.com_authentications_crd.yaml
.
openapi-gen --logtostderr=true -o "" -i ./pkg/apis/operator/v1alpha1 -O zz_generated.openapi -p ./pkg/apis/operator/v1alpha1 -h hack/boilerplate.go.txt -r "-"
Note: Every time you modify <kind>_types.go
, run generate k8s
, generate crds
, and openapi-gen
to update the CRD and the generated code.
-
Create the controller, which creates resources such as Deployments, DaemonSets, and other resources.
operator-sdk add controller --api-version=operator.ibm.com/v1alpha1 --kind=IAM
Notes:
Running locally
- Create the CRD. Do this one time before you start the operator.
a.
cd /home/ibmadmin/workspace/cs-operators/iam-operator
b. oc login
c. kubectl create -f deploy/crds/operator.ibm.com_authentications_crd.yaml
d. kubectl get crd authentications.operator.ibm.com
If the CRD changes, delete and create again:
- kubectl delete crd authentications.operator.ibm.com
-
Run the operator locally.
a. cd /home/ibmadmin/workspace/cs-operators/iam-operator
b. oc login
c. export OPERATOR_NAME=iam-operator
d. operator-sdk up local --namespace=<namespace>
-
Create a CR, which is an instance of the CRD.
-
Edit deploy/crds/operator.ibm.com_v1alpha1_authentications_cr.yaml
.
-
kubectl create -f deploy/crds/operator.ibm.com_v1alpha1_authentications_cr.yaml
-
Delete the CR and the associated resources that were created.
kubectl delete authentications example-authentication
SecurityContextConstraints Requirements
The IBM IAM operator service supports running with the OpenShift Container Platform default restricted Security Context Constraints (SCCs).
For more information about the OpenShift Container Platform Security Context Constraints, see Managing Security Context Constraints.
PodSecurityPolicy Requirements
The IAM operator does not define any specific pod security requirements.
Custom PodSecurityPolicy definition:
The IAM operator does not define any specific custom pod security requirements.
Custom SecurityContextConstraints definition:
The IAM operator runs under a restricted security context constraint with a non root uid.