Provisioning a controller in a different OpenShift project than the operations center

2 minute read

By default, managed controllers are created in the same project that the operations center is running in.

To create a managed controller in a specific OpenShift project, the project must be pre-created with the proper resources.

Those resources are:

  • The 'jenkins' ServiceAccount that will be used by the managed controller(s) to provision Jenkins agents.

  • The Role and RoleBinding of the 'jenkins' ServiceAccount

  • The Role and RoleBinding of operations center ServiceAccount to allow operations center to manage the controller resources

Red Hat recommends that OpenShift production clusters use the ovs-multitenant network plugin. This plugin makes it so no namespaces can reference each others services without going through a route exposed on the router.

If ovs-multitentant is enabled, then the project running operations center needs to be a global project to run managed controllers in other projects. Use the oc adm command below to make the project global; replace cloudbees with the name of your project.

oc adm pod-network make-projects-global cloudbees

Here is the definition of the 'jenkins' service account and associated Role and RoleBinding:

The RoleBinding namespace '<PROJECT-MASTER-X>' should be the newly created project name.
apiVersion: v1 kind: List items: - kind: ServiceAccount apiVersion: v1 kind: ServiceAccount metadata: name: jenkins - kind: Role apiVersion: v1 metadata: name: pods-all rules: - apiGroups: [""] resources: ["pods"] verbs: ["create","delete","get","list","patch","update","watch"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create","delete","get","list","patch","update","watch"] - apiGroups: [""] resources: ["pods/log"] verbs: ["get","list","watch"] - kind: RoleBinding apiVersion: v1 metadata: name: jenkins roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pods-all # The new project name namespace: <PROJECT-MASTER-X> subjects: - kind: ServiceAccount name: jenkins namespace: <PROJECT-MASTER-X>

To create a managed controller in a specific OpenShift project, operations center must have the Role privileges to do so.

The RoleBinding namespace '<PROJECT-MASTER-X>' should be the newly created project name.

The RoleBinding must specify the namespace in which the cjoc ServiceAccount is defined (in the following example, cje).

apiVersion: v1 kind: List items: - kind: Role apiVersion: v1 metadata: name: master-management rules: - apiGroups: [""] resources: ["pods"] verbs: ["create","delete","get","list","patch","update","watch"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create","delete","get","list","patch","update","watch"] - apiGroups: [""] resources: ["pods/log"] verbs: ["get","list","watch"] - apiGroups: ["apps"] resources: ["statefulsets"] verbs: ["create","delete","get","list","patch","update","watch"] - apiGroups: [""] resources: ["services"] verbs: ["create","delete","get","list","patch","update","watch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["create","delete","get","list","patch","update","watch"] - apiGroups: ["route.openshift.io",""] resources: ["routes"] verbs: ["create","delete","get","list","patch","update","watch"] - apiGroups: ["route.openshift.io"] resources: ["routes/custom-host"] verbs: ["create"] - apiGroups: [""] resources: ["secrets"] verbs: ["list"] - apiGroups: [""] resources: ["events"] verbs: ["get","list","watch"] - kind: RoleBinding apiVersion: v1 metadata: name: cjoc roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: master-management namespace: <PROJECT-MASTER-X> subjects: - kind: ServiceAccount name: cjoc # cjoc service account project name namespace: cje

Optionally, you can give operations center the privileges to list namespaces so that the user can select the project/namespace instead of typing the namespace in. To accomplish this, operations center must have the ClusterRole privileges to do so.

The ClusterRoleBinding must specify the namespace in which the cjoc ServiceAccount is defined (in the following example, cje).
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-ns-management rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["list"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cjoc-ns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cjoc-ns-management subjects: - kind: ServiceAccount name: cjoc # cjoc service account namespace namespace: cje
In August 2020, the Jenkins project voted to replace the term master with controller. We have taken a pragmatic approach to cleaning these up, ensuring the least amount of downstream impact as possible. CloudBees is committed to ensuring a culture and environment of inclusiveness and acceptance - this includes ensuring the changes are not just cosmetic ones, but pervasive. As this change happens, please note that the term master has been replaced through the latest versions of the CloudBees documentation with controller (as in managed controller, client controller, team controller) except when still used in the UI or in code.