Creating the custom security context constraint for Informix

Informix requires a custom security context constraint (SCC).

If you plan to install the Informix service, you must create the informix-scc security context constraint.

About this task

The Informix SCC is created once and used by each instance of Informix that you install.

Run the cpd-cli manage apply-scc command to:
  • Create the SCC.
  • Bind the SCC to the informix service account in the projects where you plan to install Informix.

    For example, if you plan to install Informix in two projects, you must run the command twice to bind the SCC to the service account in each project.

Informix SCC definition 
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  annotations:
    kubernetes.io/description: informix-scc provides all features of the restricted SCC but runs as user 1000.
  name: informix-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAs
  uid: 1000
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:informix

Procedure

To create the informix-scc SCC:

  1. Run the cpd-cli manage login-to-ocp command to log in to the cluster as a user with sufficient permissions to complete this task. For example: 
    cpd-cli manage login-to-ocp \
--username=${OCP_USERNAME} \
--password=${OCP_PASSWORD} \
--server=${OCP_URL}
    Tip: The login-to-ocp command takes the same input as the oc login command. Run oc login --help for details.
  2. Run the following command to create the SCC: 
    cpd-cli manage apply-scc \
--cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--components=informix
    Tip: If you want to preview the oc commands that the cpd-cli will issue on your behalf, you can run the command with --preview=true.

    The oc commands are saved to the preview.sh file in the work directory.

Results

The informix-scc SCC is created if it doesn't exist and is bound to the informix service account in the ${PROJECT_CPD_INST_OPERANDS} project.
If you want to confirm that the informix service account can use the informix-scc SCC, run:
oc adm policy who-can use scc informix-scc \
--namespace ${PROJECT_CPD_INST_OPERANDS} | grep "informix"