Creating custom security context constraints for services
Most IBM® Software Hub
services use the restricted-v2 security context constraint (SCC) that is provided
by Red Hat®
OpenShift® Container Platform. However, if you plan to
install certain IBM Software Hub services, you
might need to create one or more custom SCCs.
- Installation phase
-
Setting up a client workstation- Setting up a cluster
- Collecting required information
- Preparing to run installs in a restricted network
- Preparing to run installs from a private container registry
Preparing the cluster for IBM Software Hub- Preparing to install an instance of IBM Software Hub
- Installing an instance of IBM Software Hub
- Setting up the control plane
- Installing solutions and services
- Who needs to complete this task?
- A cluster administrator must complete this task.
- When do you need to complete this task?
- You must complete this task before you install a service that uses a custom SCC.
The restricted-v2 SCC
Red Hat
OpenShift Container Platform provides a set of
predefined SCCs that control the actions that a pod can perform and what it can access. These SCCs
can be used, modified, or extended by an administrator. By default, containers are granted access to
the restricted-v2 SCC and have only the capabilities that are defined by the
restricted-v2 SCC.
When you install the IBM Software Hub
control plane, the default service account
is associated with the restricted-v2 SCC.
IBM Software Hub does not support the use of privileged SCCs in OpenShift.
Most IBM Software Hub services use the
restricted-v2 SCC.
SCCs for IBM Cloud Pak foundational services
Custom SCCs
If you plan to install any of the following services, you might need to manually create the appropriate custom SCCs:
- Data Virtualization
- Db2
- Db2 Big SQL
- Db2 Warehouse
- OpenPages
| Service | Required SCCs |
|---|---|
| Data Virtualization |
Db2 Big SQL uses an embedded
Db2 database, which requires a custom SCC.
The SCC is used only by the instance of Db2 Big SQL that embeds the Db2 database.
The required SCC is created automatically. For details, see Creating the custom security context constraint for embedded Db2 databases. |
| Db2 |
Db2 requires a custom
SCC.
By default, the SCC is created automatically; however, you can choose to create the SCC manually. For details, see Creating the custom security context constraint for Db2. |
| Db2 Big SQL |
Db2 Big SQL uses an
embedded Db2 database, which requires a
custom SCC. The SCC is used only by the instance of Db2 Big SQL that embeds the Db2 database.
The required SCC is created automatically. For details, see Creating the custom security context constraint for embedded Db2 databases. |
| Db2 Warehouse |
Db2 Warehouse
requires a custom SCC.
By default, the SCC is created automatically; however, you can choose to create the SCC manually. For details, see Creating the custom security context constraint for Db2 Warehouse. |
| OpenPages |
When you create an OpenPages service
instance, you can choose whether you want to use:
If you choose to use an embedded Db2 database, the database requires a custom SCC. The SCC is used only by the instance of OpenPages that embeds the Db2 database. The required SCC is created automatically. For details, see Creating the custom security context constraint for embedded Db2 databases. |
| watsonx.governance™ |
If you install the OpenPages component
of watsonx.governance, you can either:
|