To access a SharedConfigMap
custom resource (CR) instance from a pod, you grant a given service account RBAC permissions to use that SharedConfigMap
CR instance.
-
You have created a
SharedConfigMap
CR instance for the config map that you want to share across namespaces in the cluster. -
You must have permission to perform the following actions:
-
Discover which
SharedConfigMap
CR instances are available by entering theoc get sharedconfigmaps
command and getting a non-empty list back. -
Determine if the service account your pod specifies is allowed to use the given
SharedSecret
CR instance. That is, you can runoc adm policy who-can use <identifier of specific SharedSecret>
to see if the service account in your namespace is listed. -
Determine if the service account your pod specifies is allowed to use
csi
volumes, or if you, as the requesting user who created the pod directly, are allowed to usecsi
volumes. See "Understanding and managing pod security admission" for details.
-
Note
|
If neither of the last two prerequisites in this list are met, create, or ask someone to create, the necessary role-based access control (RBAC) so that you can discover |
-
Grant a given service account RBAC permissions to use the
SharedConfigMap
CR instance in its pod by usingoc apply
with YAML content.NoteCurrently,
kubectl
andoc
have hard-coded special case logic restricting theuse
verb to roles centered around pod security. Therefore, you cannot useoc create role …
to create the role needed for consuming aSharedConfigMap
CR instance.$ oc apply -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: shared-resource-my-share namespace: my-namespace rules: - apiGroups: - sharedresource.openshift.io resources: - sharedconfigmaps resourceNames: - my-share verbs: - use EOF
-
Create the
RoleBinding
associated with the role by using theoc
command:oc create rolebinding shared-resource-my-share --role=shared-resource-my-share --serviceaccount=my-namespace:builder
-
Access the
SharedConfigMap
CR instance from a pod:$ oc apply -f - <<EOF kind: Pod apiVersion: v1 metadata: name: my-app namespace: my-namespace spec: serviceAccountName: default # containers omitted …. Follow standard use of ‘volumeMounts’ for referencing your shared resource volume volumes: - name: my-csi-volume csi: readOnly: true driver: csi.sharedresource.openshift.io volumeAttributes: sharedConfigMap: my-share EOF