Creating the custom security context constraint for Informix
Informix requires a custom security context constraint (SCC).
If you plan to install the Informix
service, you must create the informix-scc
security context constraint.
About this task
The Informix SCC is created once and used by each instance of Informix that you install.
Run the
cpd-cli
manage
apply-scc
command to:- Create the SCC.
- Bind the SCC to the
informix
service account in the projects where you plan to install Informix.For example, if you plan to install Informix in two projects, you must run the command twice to bind the SCC to the service account in each project.
Informix SCC definition
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
annotations:
kubernetes.io/description: informix-scc provides all features of the restricted SCC but runs as user 1000.
name: informix-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAs
uid: 1000
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
users:
- system:serviceaccount:${PROJECT_CPD_INST_OPERANDS}:informix
Procedure
To create the informix-scc
SCC:
Results
informix-scc
SCC is created if it doesn't exist and is
bound to the informix
service account in the ${PROJECT_CPD_INST_OPERANDS}
project. If you want to confirm that the
informix
service account can use the informix-scc
SCC,
run:oc adm policy who-can use scc informix-scc \
--namespace ${PROJECT_CPD_INST_OPERANDS} | grep "informix"