Skip to content

Allowing non-cluster administrators to install Pulp Operator in OpenShift

Cluster administrators can use OperatorGroups to allow regular users to install Operators.
To do so, as a cluster-admin, create an OperatorGroup in the namespace where regular users would be able to install Pulp. For example: 

$ oc apply -f- <<EOF
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: pulp-operator-group
  namespace: pulp
spec:
  targetNamespaces:
  - pulp
EOF

See OpenShift official documentation for more information: Operator Groups

Installing Pulp Operator as a regular user#

If the OperatorGroup is already present in the namespace, a user with edit or admin role will be able to install Pulp operator: 

$ oc apply -f- <<EOF
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  labels:
    operators.coreos.com/pulp-operator.pulp: ""
  name: pulp-operator
  namespace: pulp
spec:
    channel: beta
    installPlanApproval: Automatic
    name: pulp-operator
    source: community-operators
    sourceNamespace: openshift-marketplace
    startingCSV: pulp-operator.v1.0.0-alpha.4
EOF

Note

Role-based access control (RBAC) for Subscription objects is automatically granted to every user with the edit or admin role in a namespace. However, RBAC does not exist on OperatorGroup objects; this absence is what prevents regular users from installing Operators. Pre-installing Operator groups is effectively what gives installation privileges.
See OpenShift official documentation for more information: Understanding Operator installation policy

Deploying Pulp Operator#

After configuring the Subscription the only remaining step is to configure Pulp CR. For example: 

$ oc apply -f- <<EOF
apiVersion: repo-manager.pulpproject.org/v1alpha1
kind: Pulp
metadata:
  name: pulp
  namespace: pulp
spec:
  api:
    replicas: 1
  content:
    replicas: 1
  worker:
    replicas: 1
EOF

See Custom Resources for more information about the available fields of Pulp CR or check our list of samples.

Installing multiple instances of Pulp#

To deploy multiple instances of Pulp in different namespaces, repeat the following steps in each namespace where Pulp should be installed:

Last update: 2023-07-19