A little bit of AMQ Background
There are two types of permissions needed in order to make this work. Firstly, you need AMQ Broker permissions to create the necessary elements. Secondly, you need permissions within Openshift (Kubernetes) for accessing the administrative console.
AMQ components are defined as Custom Resource Definitions within Openshift. The broker itself, along with the addresses and securities, are all instances of these custom resources. Overall access to custom resources in Openshift is determined by the „apiextensions.k8s.io“ API Group, whereas the permissions specifically for AMQ elements reside within the „broker.amq.io“ group.
Step 1: Creating the Role with the AMQ Permissions
It is very easy to configure the permission. First, you have to create the Role in Openshift. Save this configuration in a yml file (like AMQPermissions.yml) and execute the following command:
oc create -f AMQPermissions.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crd-queue-admin
rules:
- apiGroups: ["broker.amq.io"]
resources: ["activemqartemisaddresses"]
verbs: ["get","view" ,"list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["broker.amq.io"]
resources: ["activemqartemises"]
verbs: ["get","view" ,"list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["broker.amq.io"]
resources: ["activemqartemisscaledowns"]
verbs: ["get","view" ,"list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["broker.amq.io"]
resources: ["activemqartemissecurities"]
verbs: ["get","view" ,"list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Step 2: Assign the AMQ Role to a user
Now that you have created the role, you can assign it to the desired user: oc adm policy add-role-to-user crd-queue-admin