About Privileges

The TimesTen Operator needs different privileges depending on whether you install the TimesTen Operator at namespace-scoped or at cluster-scoped.

  • When the TimesTen Operator runs in a namespace in your cluster at namespace-scope, it only needs privileges within the namespace where you installed it. The TimesTen Operator does not require privileges in any other namespace in the cluster.

  • When the TimesTen Operator runs in the timesten-operator namespace in your cluster at cluster-scope, it needs privileges within the namespace it runs in as well as in every namespace in the cluster.

Kubernetes uses Roles and RoleBindings to specify privileges within a single namespace and uses ClusterRoles and ClusterRoleBindings to specify privileges across all namespaces. For more information about Kubernetes Roles, RoleBindings, ClusterRoles, and ClusterRoleBindings, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/ in the Kubernetes documentation.

When the TimesTen Operator runs at namespace-scope, it requires Roles and RoleBindings to operate. Specifically, when you install the TimesTen Operator in a namespace at namespace-scope, a ServiceAccount called timesten-operator is created in this namespace and a RoleBinding is created and used to give the timesten-operator service account the necessary privileges. These privileges are defined in the timesten-operator Role.

When the TimesTen Operator runs at cluster-scope, it requires Roles, RoleBindings, ClusterRoles, and ClusterRoleBindings to operate. Since the TimesTen Operator needs privileges in every namespace and needs additional privileges just in its namespace, the following objects are provisioned:

  • ClusterRole called timesten-operator: Defines the privileges that the TimesTen Operator requires in each namespace in the cluster.

  • ClusterRoleBinding called timesten-operator: Gives the timesten-operator service account in the timesten-operator namespace the privileges in the timesten-operator cluster role.

  • Namespace timesten-operator: Is the namespace in which the TimesTen Operator runs. This namespace is non-configurable. In this namespace, the following objects are created:

    • ServiceAccount called timesten-operator: The TimesTen Operator runs with the privileges of this service account.

    • Role called timesten-operator: Defines the privileges the TimesTen Operator requires in the timesten-operator namespace.

    • RoleBinding called timesten-operator: Gives the timesten-operator service account in the timesten-operator namespace the privileges in the timesten-operator role.

In summary, when you install the TimesTen Operator in a namespace in your cluster at namespace-scope, a ServiceAccount called timesten-operator is created in that namespace and a RoleBinding is used to give the service account the necessary privileges. In contrast, when you install the TimesTen Operator in your cluster at cluster-scope, the timesten-operator namespace is created. In addition, a ServiceAccount is created in this timesten-operator namespace and RoleBindings and ClusterRoleBindings are used to give the service account the necessary privileges. There are examples later in the chapter that illustrate the creation of these objects.