chore: Minimal set of permissions to deploy che on openshift (#2794)

* chore: Minimal set of permissions to deploy che on openshift Signed-off-by: Anatolii Bazko <[email protected]> * Add articles to nav.adoc Signed-off-by: Anatolii Bazko <[email protected]> * Add additional resources Signed-off-by: Anatolii Bazko <[email protected]> * Update modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-the-web-console.adoc Co-authored-by: Jana Vrbkova <[email protected]> * Update modules/administration-guide/pages/permissions-to-install-che-on-openshift-using-cli.adoc Co-authored-by: Jana Vrbkova <[email protected]> * Update modules/administration-guide/pages/permissions-to-install-che.adoc Co-authored-by: Jana Vrbkova <[email protected]> --------- Signed-off-by: Anatolii Bazko <[email protected]> Co-authored-by: Jana Vrbkova <[email protected]>
eclipse-che · Oct 8, 2024 · d810024 · d810024
1 parent af356b0
commit d810024
Show file tree

Hide file tree

Showing 6 changed files with 128 additions and 0 deletions.
diff --git a/modules/administration-guide/nav.adoc b/modules/administration-guide/nav.adoc
@@ -26,6 +26,9 @@
 *** xref:installing-che-on-minikube.adoc[]
 *** xref:installing-che-on-minikube-keycloak-oidc.adoc[]
 ** xref:finding-the-fully-qualified-domain-name-fqdn.adoc[]
+** xref:permissions-to-install-che.adoc[]
+*** xref:permissions-to-install-che-on-openshift-using-cli.adoc[]
+*** xref:permissions-to-install-che-on-openshift-using-the-web-console.adoc[]
 * xref:configuring-che.adoc[]
 ** xref:understanding-the-checluster-custom-resource.adoc[]
 *** xref:using-chectl-to-configure-the-checluster-custom-resource-during-installation.adoc[]

diff --git a/modules/administration-guide/pages/installing-che-on-openshift-using-cli.adoc b/modules/administration-guide/pages/installing-che-on-openshift-using-cli.adoc
@@ -49,3 +49,7 @@ $ {prod-cli} server:status
 ----
 $ {prod-cli} dashboard:open
 ----
+
+.Additional resources
+
+* xref:permissions-to-install-che-on-openshift-using-cli.adoc[]
diff --git a/...ministration-guide/pages/installing-che-on-openshift-using-the-web-console.adoc b/...ministration-guide/pages/installing-che-on-openshift-using-the-web-console.adoc
@@ -57,3 +57,7 @@ pass:[<!-- vale RedHat.Spelling = YES -->]
 . Under *{prod} URL*, wait until the URL of the {prod-short} instance appears, and then open the URL to check the {prod-short} dashboard.
 
 . In the *Resources* tab, view the resources for the {prod-short} deployment and their status.
+
+.Additional resources
+
+* xref:permissions-to-install-che-on-openshift-using-the-web-console.adoc[]
diff --git a/...ministration-guide/pages/permissions-to-install-che-on-openshift-using-cli.adoc b/...ministration-guide/pages/permissions-to-install-che-on-openshift-using-cli.adoc
@@ -0,0 +1,51 @@
+:_content-type: REFERENCE
+:description: Minimum set of permissions required to install {prod-short} on OpenShift using CLI
+:keywords: permissions, openshift, installing, cli
+:navtitle: Permissions to install {prod-short} on OpenShift using CLI
+
+[id="permissions-to-install-che-on-openshift-using-cli"]
+= Permissions to install {prod-short} on OpenShift using CLI
+
+Below is the minimal set of permissions required to install {prod-short} on an OpenShift cluster using {prod-cli}:
+
+[source,yaml,subs="+quotes,+attributes"]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {prod-id-short}-install-{prod-cli}
+rules:
+- apiGroups: ["org.eclipse.che"]
+  resources: ["checlusters"]
+  verbs: ["*"]
+- apiGroups: ["project.openshift.io"]
+  resources: ["projects"]
+  verbs: ["get", "list"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "create"]
+- apiGroups: [""]
+  resources: ["pods", "configmaps"]
+  verbs: ["get", "list"]
+- apiGroups: ["route.openshift.io"]
+  resources: ["routes"]
+  verbs: ["get", "list"]
+  # OLM resources permissions
+- apiGroups: ["operators.coreos.com"]
+  resources: ["catalogsources", "subscriptions"]
+  verbs: ["create", "get", "list", "watch"]
+- apiGroups: ["operators.coreos.com"]
+  resources: ["operatorgroups", "clusterserviceversions"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["operators.coreos.com"]
+  resources: ["installplans"]
+  verbs: ["patch", "get", "list", "watch"]
+- apiGroups: ["packages.operators.coreos.com"]
+  resources: ["packagemanifests"]
+  verbs: ["get", "list"]
+----
+
+.Additional resources
+
+* https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/developer-cli-commands.html#oc-apply[`oc apply` command]
+* link:https://docs.openshift.com/container-platform/4.17/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-policy-add-cluster-role-to-user[`oc adm policy` command]
diff --git a/...-guide/pages/permissions-to-install-che-on-openshift-using-the-web-console.adoc b/...-guide/pages/permissions-to-install-che-on-openshift-using-the-web-console.adoc
@@ -0,0 +1,52 @@
+:_content-type: REFERENCE
+:description: Minimum set of permissions required to install {prod-short} on OpenShift using the web console
+:keywords: permissions, openshift, installing
+:navtitle: Permissions to install {prod-short} on OpenShift using web console
+
+[id="permissions-to-install-che-on-openshift-using-the-web-console"]
+= Permissions to install {prod-short} on OpenShift using the web console
+
+Below is the minimal set of permissions required to install {prod-short} on an OpenShift cluster using the web console:
+
+[source,yaml,subs="+quotes,+attributes"]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {prod-id-short}-install-web-console
+rules:
+- apiGroups: ["org.eclipse.che"]
+  resources: ["checlusters"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "create"]
+- apiGroups: ["project.openshift.io"]
+  resources: ["projects"]
+  verbs: ["get", "list", "create"]
+  # OLM resources permissions
+- apiGroups: ["operators.coreos.com"]
+  resources: ["subscriptions"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["operators.coreos.com"]
+  resources: ["operatorgroups"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["operators.coreos.com"]
+  resources: ["clusterserviceversions", "catalogsources", "installplans"]
+  verbs: ["get", "list", "watch", "delete"]
+- apiGroups: ["packages.operators.coreos.com"]
+  resources: ["packagemanifests", "packagemanifests/icon"]
+  verbs: ["get", "list", "watch"]
+  # Workaround related to viewing operators in OperatorHub
+- apiGroups: ["operator.openshift.io"]
+  resources: ["cloudcredentials"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["config.openshift.io"]
+  resources: ["infrastructures", "authentications"]
+  verbs: ["get", "list", "watch"]
+----
+
+.Additional resources
+
+* https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/developer-cli-commands.html#oc-apply[`oc apply` command]
+* link:https://docs.openshift.com/container-platform/4.17/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-policy-add-cluster-role-to-user[`oc adm policy` command]
diff --git a/modules/administration-guide/pages/permissions-to-install-che.adoc b/modules/administration-guide/pages/permissions-to-install-che.adoc
@@ -0,0 +1,14 @@
+:_content-type: ASSEMBLY
+:description: Permissions to install {prod}
+:keywords: administration-guide, installing, permissions
+:navtitle: Permissions to install Che
+:page-aliases:
+
+[id="permissions-to-install-che"]
+= Permissions to install {prod-short}
+
+Learn about the permissions required to install {prod} on different {kubernetes} clusters.
+
+* xref:permissions-to-install-che-on-openshift-using-cli.adoc[]
+
+* xref:permissions-to-install-che-on-openshift-using-the-web-console.adoc[]